:::Skip to main content
Site Map Home 中文版 Sitemap.xml

  • Popular search:
  • font size
    A A A
Home > Financial Information > Fiscal Information Audit and Information Security ...
:::

Home

:::
Forwarding information by email Pop-up print setting
Fiscal Information Audit and Information Security Management

Developmental history

1. The “Electronic Operations Audit Team” was established in the Fiscal Information Agency (FIA), Ministry of Finance (MOF), on April 19, 1983.

The team aims to establish the “Electronic Operation Audit System” of the MOF, and draw up the “Electronic Operation Disaster Recovery Plan Inspection Requirements” to implement inspections, in order to strictly control information systems with high sensitivity to prevent data leaks and computer crimes.

2. In 1987, the “Planning Department” of the MOF was set up temporarily to handle information operations, and continued to plan and build the “Information Audit” system of the MOF and its affiliated agencies (institutions).

3. In 1989, the “Planning and Auditing Team” was established in the FIA of the MOF, in order to handle planning and information auditing business, and to promote the internal information auditing business of the subordinate agencies. The FIA is responsible for managing the information auditing business of the Ministry of Finance.

4. In June 2002, the “Planning and Auditing Working Team” of the FIA of the MOF was restructured into an “Auditing Team,” and it was expanded into an “Information Security Control Team” in March 2003. The team aimed to handle and promote internal and external information auditing business and strengthen information security management of the subordinate agencies.

5. In July 2011, in line with the internal business adjustment of the FIA, the “Information Security Control Team” was transferred to the “The Fifth Group, Section 5” to continue handling information auditing business.

6. In January 2013, in conjunction with the organizational reorganization of the Executive Yuan, the Information Security Management Section was established in the Comprehensive Planning Division of the FIA of the MOF, in order to continuously promote the information and communication security management, information auditing, and personal information management of subordinate agencies.

7. In October 2016, Computer Emergency Response Team of the MOF (MOFCERT) was established. The team was composed of personnel from the Fiscal Information Agency, Customs Administration, the National Property Administration, and the Bank of Taiwan, etc., to assist the Ministry of Finance and its subordinate agencies (institutions) with the cyber security health diagnosis of the information system, and enhance their own cyber security capabilities.

8. In 2023, the FIA implemented red team assessment and planned to conduct it every two years thereafter. The results of the assessment will be used to identify potential hacker intrusion pathways and lateral attack methods. This comprehensive review aims to identify risks that may exist in the tax system of the MOF, preventing a single system from being compromised to launch attacks on other systems.

 

Performance and results

1. Information Security Management System (ISMS) Certification

(1) In November 2006, the FIA of the MOF built an ISMS within the scope of the comprehensive income tax investigation management system and its related national tax platform, internal network, etc., and was awarded the ISO 27001:2005 certification.

(2) In November 2009, the ISMS recertification, which is carried out once every three years, was renewed by the British Standards Institution (BSI) with “zero defect.”

(3) In September 2012, the ISMS recertification, which is carried out once every three years, was renewed by the British Standards Institution (BSI) with “zero defect.”

(4) In March 2013, the scope of ISMS verification was expanded to the Fiscal Information Agency and the five national taxation bureaus of MOF. In April of the same year, it obtained the six-in-one (the FIA and the five national taxation bureaus) ISO 27001:2005 certification.

(5) In April 2015, the personal data management system of the FIA, MOF was certified by the British Standards Institution (BSI) and awarded the BS 10012:2009 certification.

(6) In line with the revision of the ISO 27001 verification standard, the MOF obtained the ISO 27001:2013 certificate in September 2015 (the FIA and the five national taxation bureaus).

(7) In September 2017, the Financial Information Agency expanded the scope of ISMS verification to the whole organization.

(8) In September 2018, the ISMS recertification, which is carried out once every three years, was renewed by the British Standards Institution (BSI) and the new ISO 27001:2013 certification was obtained.

(9) In September 2021, the ISMS recertification, which is carried out once every three years, was conducted and the scope of ISMS verification was expanded to the systems of MOF, which are managed by the FIA Support Service Office. It was approved by the British Standards Institution (BSI) and the new ISO 27001:2013 certification was obtained.

(10) In April 2022, in compliance with the regulations of the Cyber Security Management Act, the ISMS of the FIA has completed third-party verification by an impartial organization and continues to maintain the validity of the ISO 27001:2013 certification.

2. Conduct external audits

(1) The external audits on information security of subordinate agencies are performed periodically, and was evaluated by the National Information and Communication Security Task Force of Executive Yuan on July 31, 2006 as “remarkable results.”

(2) In 2007, the information and communication security auditors of the MOF, together with the National Information and Communication Security Task Force of the Executive Yuan, conducted an annual information and communication audit of the Taipei Disbursement Office, the National Taxation Bureau of the Northern Area, and the Kaohsiung Customs, MOF. The information security audit businesses of all agencies were implemented thoroughly, and the assessment results were “very comprehensive.”

(3) In 2008, together with the Audit Service Team of the National Information and Communication Security Task Force of the Executive Yuan, an annual information and communication audit was conducted of the National Taxation Bureau of the Central Area, the Local Tax Bureau of Taichung City Government, and Taichung Customs, MOF. The information security audit businesses of all agencies were implemented thoroughly, and the assessment results were “very comprehensive.”

(4) In 2009, in conjunction with the Audit Service Team of the National Information and Communication Security Task Force of the Executive Yuan, the annual information and communication business audit was carried out. The information security audit businesses of all agencies were implemented thoroughly, and Customs Administration, the Taxation Administration (Central Region Office) of MOF, the Bank of Taiwan, and Taiwan Tobacco and Liquor Corporation were assessed as “very comprehensive.”

(5) In 2010, together with the Audit Service Team of the National Information and Communication Security Task Force of Executive Yuan, an annual information and communication audit was conducted of three agencies affiliated to the Ministry of Finance. The information security audit businesses of all agencies were implemented thoroughly, and Keelung Customs and Taipei Customs were assessed as “very comprehensive,” and the Export-Import Bank of the Republic of China as “somewhat comprehensive.”

(6) In 2011, in conjunction with the Audit Service Team of the National Information and Communication Security Task Force of the Executive Yuan, an annual information and communication audit was conducted of three agencies affiliated to the Ministry of Finance. The information security audit businesses of all agencies were implemented thoroughly, and the assessment result of the Financial Data Center was “very comprehensive,” the National Treasury Administration and the National Property Administration were assessed as “somewhat comprehensive.”

(7) The “Information Security Audit Team of the MOF” was formed in 2014, in order to conduct on-site audits of the information and communication security of the agencies (institutions) affiliated to the MOF. The team reviews the information security business of the audited agencies (institutions) through audit procedures, and assists them with implementing and strengthening the integrity and effectiveness of the information security protection.

(8) Since 2022, the FIA has conducted annual audit for suppliers participating in the core information and communication system. For suppliers participating in non-core information and communication systems, audits will be conducted at least once every three years.

3. Perform the email social engineering drill of MOF

The email social engineering drills of the MOF and its affiliated agencies (institutions) are conducted annually in order to improve security awareness for employees, strengthen email social engineering protection capabilities, and check for deficiencies to enhance overall information security protection.

4. Computer Emergency Response Team of MOF (MOFCERT)

(1) The Team conducts penetration test of the MOF and its affiliated external websites every year, and cooperates with the Information Security Audit of the Executive Yuan or the Ministry of Finance to conduct information security health diagnoses of inspected agencies (institutions).

(2) On December 14, 2018, the team won the runner-up honor in the “2018 HITCON Defense.”

(3) On December 27, 2019, the team was awarded the “Distinguished Achievement Award for Cyber Forensics Development (Organizations) ” by the Association of Cyber Forensics Development in Taiwan.

5. Conduct information and communication security education and training

Since 2008, the “Information Security Advocacy and Seminar for Senior Executives of the MOF” has been held annually to publicize government information and communication security policies and information security incidents, discussion of information security-related legal cases, and information security development trend analysis and solutions, etc.