Our policy is in accordance with the "Executive Yuan and Subordinate Organs Information Security Management Guidelines", "Executive Yuan and Subordinate Organs Information Security Management Standards" and the relevant "Information Security Policy", and were developed in consideration of the Headquarters' business needs.
These policies are specially established in order for the Yangmingshan National Park Headquarters (hereafter referred to the Headquarters) to enhance information security management, ensure confidentiality and integrity of the information, the reliability of information equipment (including computer hardware, software and other peripheral equipment) and the network system, proper information security awareness of the personnel and to ensure the previous resources are free from interference, destruction, invasion or any other adverse actions.
An inter-unit information security promotion organization (hereinafter referred to as "our organization") was established to centralize the coordination, planning, auditing and promotion of the information management system; staff operations is managed by the Headquarters' Information Department.
Powers and responsibilities of relevant personnel delegated according to the following principles: The Headquarters' Information Department is responsible for the deliberation, implementation, evaluation and other matters regarding information security policies, planning and technical specifications.
The scope of our policy is as follows: All personnel in relevant units should set management standards, implement plans and conduct periodic evaluations on the effectiveness according to following regulations: Planning and management of education and training of personnel management and information security, computer systems security management, network security management, system access control, system development and maintenance of security management, information assets security management, planning and management of physical and environmental security management, business continuity operation plan.
Personnel management and information security education and training: To handle information security education, training, and advocacy, establish employee information security awareness, and improve information security standards base on the various needs of the management, business and information sectors.
Computer systems security management: The procurement of IT software and hardware is done following national standards or standards determined by the competent authorities according to proposed information security requirements and included in procurement specifications.
Network security management:
Determination of email usage regulations; all confidential information and documents may not be transmitted via email or other electronic means.
Toprevent network users from accidentally violating the Headquarters' relevant safety regulations, network management personnel will consider using relevant network technology to actively control the actions of violators without interfering with normal network usage.
System access control: To establish a information security audit system and conduct audits at regular and irregular intervals.
System development and maintenance of security management
Self-develop or outsource a development system; must take into account information security requirements.
Limitingthe contact of outside software and hardware installation and maintenance personnel with the system and the range of data they come into contact with.
Musthave staff supervise all activities of commissioned staff when installing and maintaining software and hardware.
Information assets security management: Create a catalogue of related information systems assets, determine the catalogue items, owners, level of security, etc. Establish classification criteria for information security levels according to relevant laws and regulations for the protection of national secrets, personal computer information and disclosure of government information.
Planning and management of physical and environmental security management: Set up of physical and environmental security management measures including the placement of equipment, environment control, personnel access control, etc.,
Business continuity operations plan: Set down a sustainable operation plan, assess the impact of a variety of man-made and natural disasters on business operations, set up emergency response and recovery operating procedures and the powers and responsibilities of related personnel, conduct drills regularly and adjust the plan accordingly.
This policy should be assessed at least once annually to reflect latest government policy and developments in technology and business to ensure the effectiveness of the information security operations.
This information security policy is implemented after it is approved by the Director; same process for revisions.