View count: 96

Information Security Policy

I. Purpose

In order to maintain a secure and reliable information operation environment of this department, sustain continuous business operations, reduce risks in information operations, safeguard the rights and interests of users of information services, establish an Information Security Management System (ISMS), and comply with information security management standards and relevant regulations, this policy is hereby formulated as the highest guiding principle to achieve information security management objectives.



II. Scope

The scope of information security management of this department includes all personnel related to information operations, management systems, application programs, data, documents, media storage, hardware equipment, and network facilities of all units under this department.



III. Operational Guidelines

(1) Information Security Policy Statement

1. Ensure personal privacy rights.

2. Ensure the proper operation of internal management systems and related application systems.

3. Ensure that data processing meets the needs of business units and that system controls are comprehensive.

4. Ensure the security of the department’s computer hosts, websites, and networks.

5. Prevent the department’s operations from being affected by information security incidents and ensure operational continuity.



(2) Information Security Objectives

Protect the confidentiality, integrity, and availability of the department’s information and related assets. The objectives are as follows:

1. Confidentiality: Ensure that only authorized persons can access information.

2. Integrity: Ensure that the content and processing methods of information are correct and consistent.

3. Availability: Ensure that authorized users can obtain information and use equipment when needed.



(3) Information Security Performance Indicators and Measurement

1. Confidentiality, integrity, and availability shall be used as the basis to achieve relevant performance indicators.

2. Quantitative indicators and measurement criteria for security performance shall be reviewed and revised by the Information Management Committee in accordance with annual administrative objectives.



(4) Employee Responsibilities

1. Employees shall comply with laws, regulations, and all information security policies within the department.

2. Employees are obligated to participate in various information security awareness and education programs organized by this department.

3. When employees discover information security incidents, they shall report them promptly and assist in handling such incidents.



(5) Understanding the Needs and Expectations of Interested Parties

1. Interested parties of the Information Security Management System

2. Information security requirements related to the above-mentioned interested parties



(6) Determining the Scope of the Information Security Management System

1. The information security management review meeting shall determine the scope of the Information Security Management System, including its operational boundaries and limitations.

2. When determining the scope of the Information Security Management System, the following shall be considered:

(1). Identification of internal and external issues affecting the information security system.

(2). Understanding the requirements of the needs and expectations of interested parties.

(3). Operational activities within the organization and operational activities provided by other organizations.



(7) Review and Evaluation

1. This policy shall be reviewed at least once per year.

2. This policy shall be revised as necessary in accordance with the department’s information security needs and changes in the external environment.

3. This policy shall be implemented upon approval and announcement, and the same shall apply to any revisions.