Information security policy
1. Preface
With the popularization of computer information technology, many important data is stored in computers or transmitted through computer communication networks. With the reliance on computers and the internet, the lack of comprehensive information security measures can lead to the theft or manipulation of data stored in information systems or transmitted messages. This can result in significant and irreversible losses. In order to ensure the reduction of information security risks and maintain a vigilant and comprehensive information system, the Central Taiwan Science Park Bureau of the National Science and Technology Council (hereinafter referred to as the Bureau) aims to improve the overall quality of information services. This includes ensuring the security of data, information systems, equipment, and networks. The Bureau also collaborates with The Executive Yuan to urge all agencies to strengthen information security management and establish a secure and reliable electronic government, thereby safeguarding the rights and interests of the people.
2. Purpose
The Bureau has formulated this policy to enhance information security management, establish a secure and reliable electronic government, ensure the data security, information systems equipment and networks security, and safeguard the rights and interests of the public.
3. Scope
- The scope of implementing the information security management system is determined by the information security issues derived from each business process within the Bureau.
- This policy applies to formal and contract employees, including technicians, workers, and outsourced vendor personnel, within the Bureau, as well as relevant agencies and manufacturers involved in business activities with the Bureau. It also applies to manufacturers and third-party personnel who provide services to the Bureau.
4. Competent Authorities
In order to coordinate and promote information security management and address other related issues, the Bureau should establish a dedicated team to handle information and personal information security. This team will be responsible for handling information security and crisis response matters. The staff work will be performed by personnel stationed in the Information Department.
- The deliberation, establishment, assessment, and education training of the Bureau on common information security policies, guidelines, plans, and technical specifications are managed by the information and personal information security processing team.
- The deliberation, management, and protection of security requirements for data and information technology systems within the Bureau are handled by the business units and the personal information security processing team.
- Information confidentiality protection matters will be handled by the ethics unit in conjunction with the information communications and personal information security processing team and related units.
- The Bureau conducts regular or irregular information security audits, which are managed by the information security audit team. When necessary, the Bureau may invite ethics units to send personnel to supervise.
5. Definition
- Information Security
To ensure the confidentiality, integrity, and availability of information, as well as the identification, accountability, non-repudiation, and reliability, in order to protect the rights and interests of the public and enhance their confidence in information services. - Asset
Anything valuable to the organization, such as information, people, software, hardware, services, buildings, and protective facilities, etc.
6. Regulations
The Bureau's information security management policy aims to safeguard the confidentiality, integrity, and availability of information assets, ensuring the provision of secure, stable, and efficient information services overall.
- Policy Statement
The Bureau's information security statement reads: "Confidential information will not be leaked, information security incidents will be rare, and services will not be interrupted." -
Objective
- Ensure the physical and environmental security of the Bureau's computer room to minimize the impact of service interruptions caused by information security incidents.
- Ensure the security of the network equipment in the Bureau's computer room to minimize the impact of service interruptions caused by information security incidents.
- Ensure the security of critical network services in the Bureau's computer room and minimize the impact of service interruptions or unauthorized disclosure of sensitive data caused by accidents and errors.
- Ensure the continuous availability and security of the "Bureau Central Computing System," preventing incidents such as unauthorized disclosure or malicious sabotage of sensitive information or personal data.
- Safety Indicator Collection Methods
Establish a mechanism for the information security management system to collect security indicators in order to ensure the effectiveness of implementation. - Submit a summary of information security incidents
Submit an annual summary of information security incidents to the Information Security Committee in order to provide an update on the implementation status of the information security management system. -
The scope of information security management is listed as follows:
- Formulation and evaluation of information security policies.
- Information Security Organization and Rights and Responsibilities.
- Personnel management and information security education training.
- Security Management of Computer Systems.
- Network Security Management.
- System Access Control Management.
- System development and security management maintenance.
- Information Asset Security Management.
- Physical and Environmental Safety Management.
- Business sustainability operations program management.
- Other cooperation matters.
- The Bureau's information security organization is structured into task groups that are responsible for managing information security operations. The scope covered by this organization refers to the extent of verification. Within the information security organization, the Information Security Committee serves as the highest decision-making body. The Information Security Audit Team is responsible for auditing the operation of information security management. The Information and Personal Data Security Processing Team plays a crucial role as an intermediary in facilitating various information security management tasks and implementing decisions made at the managerial level. It is responsible for day-to-day information security management tasks.
-
The Bureau has established the "Information and Personal Information Security Committee and Management Review Meeting," which comprises the deputy director and the heads of each division and office responsible for coordinating and promoting matters related to information security management. Additionally, the "Information and Personal Information Security Committee and Management Review Meeting" will appoint personnel (including section chiefs and technicians) from each division and office, as well as an "Information and Personal Information Security Processing Team" to coordinate the information security policies, plans, measures, and technical specification discussion. Establish a dedicated "Information and Personal Information Security Audit Team" composed of ethics and information units, planning annual internal audit and implementing related audit operations. Additionally, establish a dedicated team called the "Information and Personal Information Security Legal Compliance Team" organized by the Planning Division, planning and executing legal affairs of information and personal security.
-
The Information and Personal Information Security Committee and Management Review Meeting shall be conducted at least once a year. The input for the meeting review shall include the following:
- Status of previous regulatory review measures.
- Changes in internal and external issues of the information security management system.
-
Information security performance feedback, including the following trends:
- Nonconformities and correction measures.
- Monitor and measure results.
- Audit results.
- Completion rate of information security objectives.
- Feedback from stakeholder groups.
- Risk assessment results and risk treatment plan status.
- Opportunities for improvement.
- Opportunities for improving information security management systems.
- Decision for demand changing.
-
The Information and Personal Information Security Committee and Management Review Meeting shall be conducted at least once a year. The input for the meeting review shall include the following:
-
Review
- This policy is evaluated annually and may be adjusted as necessity to address the latest advancements in laws, technology, and business. This is done to ensure the effectiveness of information security practices.
- This policy has been approved by the Information Communications and Personal Information Security Committee and the Management Review Meeting, and will come into effect on the date of announcement. Personnel applicable for this policy will be notified in writing, electronically, or through other means. The same applies when the policy is revised.