::: Home * Information Security Policy
Text Size : font size is small font size is middle font size is large * Print

Information Security Policy

I. PURPOSE

The (referred to as "this" hereunder) specially stipulates this Guideline to maintain overall information security, strengthen security management for all its information assets, and ensure their confidentiality, integrity, availability, authentication, and non-repudiation, in response to the needs of business operations for proper support of to exercise their authority of office according to law.

 

  • Confidentiality ensures only those people who have been authorized can have access to information assets.

  • Integrity ensures the accuracy and integrity of handling methods for information assets.

  • Availability ensures that authorized users may use information assets when they need them.

  • Authentication ensures the identity of an entity on the Internet is true to what he declares or the information received via the Internet is really sent by the sender.

  • Non-repudiation refers to the undeniability of the information which the sender end agrees to send, or the transaction behavior he has completed.


II. DEFINITION

The term "information security" referred to in this Policy is defined as protecting information assets against all kinds of incident threats, such as improper use, leakage, tampering, stealing, destruction, etc., and reducing the damage level that might otherwise affect and endanger this Council's business operations.

he information assets called by this Guideline refer to information collected, produced and used by this Council, as well as related equipment necessary for completing the above work.

This Website absolutely will not sell or lease your personal information to other groups, individuals or private businesses or exchange it with them, except for the following cases:


III. SCOPE OF APPLICATION

This policy applies to all information assets of this Council and their information users.

 

  • "Information users" include legislators, assistants, staff, contract employees, technical workers, maintenance workers, establishment and maintenance service providers, and other people who have been authorized to access information assets.


IV. LAW REFERENCE SOURCES

This Guideline and all collateral regulations formulated based upon it (referred to as the "information security management system" hereunder) were formulated by making reference to the Computer-Processed Personal Data Protection Law, the Copyright Law, the National Secrets Protection Law, the Electronic Signature Act, as well as other related standards. Information users shall observe them adequately. In case of violation, proceedings shall be undertaken according to related laws and decrees.

 

  • "In addition to the laws and decrees mentioned in Article IV, the following are important reference standards for this Council's information security management system.

    1. Information security standards of the International Organization for Standardization (ISO17799:2000; Information Technique—the Code Of Practice For Information Security Management)

    2. Information security standards of the Bureau of Standards, Metrology and Inspection, Ministry of Economic Affairs (MOEA). (CNS17800; Information Technique - Information Security Management Systems).

    3. Information security standards of the British Standards (BSI) (BS7799:2002; Information Security Management)

  • All collateral regulations stipulated in accordance with this Guideline are as follows: certificate policy, information security organization operating principles, information security document management, information assets categorization and classification, Internet security management, host security management, information application system security management, general information equipment management, PKI information security management, computer room management, information security reporting management, information security audit, information access control, office area management, outsourcing management, information security risk assessment and management, etc.


V. ORGANIZATION

To materialize information security management, this Council shall set up an interagency Information and Communication Security Taskforce (ICST) in charge of review and approval of this Guideline and of matters related to advancing information security management systems. The ICST consists of the Information Security Audit Team (ISAT) and the Information Security Team (IST) of the Department of Information Management, both teams separately in charge of consolidating information security audit and planning of all kinds of operating principles.

 

  • The following organization shall be set up in order to advance information security management systems.

  • The ICST is staffed with a Convener, whose post is held concurrently by the Secretary General, and a Secretary, whose post is held concurrently by the Director of the Department of Information Management.

  • Staff members for the ISAT are appointed by the Convener.

  • Staff members for the IST are appointed by the Secretary.

  • Operating principles for the information security organization shall specify the following:

    1. Information security organization layout, responsibility, and modus operandi.

    2. Information and communication security meeting and frequency of convening an IST meeting and its agenda.

    3. Qualifications and educational training of information security organization personnel.


VI. INFORMATION ASSET SECURITY

To safeguard this Council's information assets, an information asset inventory shall be created for categorizations and classifications, and corresponding control measures shall be formulated.

 

  • This Council's information assets are divided into information assets (e.g., archives, system documents, databases), physical assets (e.g., computer hardware, communication equipment), software assets (e.g., applications, system software), service assets (e.g., power supply and air conditioning).

  • The information asset inventory shall identify information asset category, owner, user, and confidentiality level.

  • Operating principles for categorization and classification of information assets shall specify the following:

    1. Information asset categorization principles.

    2. Information asset classification principles.

    3. Information asset control measures.


VII. PERSONNEL AND SECURITY

To diminish the influence of internal human factors upon this Council's information security, all units shall carry out a division of labor and rotation measures by taking into account manpower and responsibility.

This Council shall implement information security education and training and awareness promotion as needed in order to increase personnel's understanding of information security.

 

  • "All units" include research rooms and service offices of all legislators and offices of all caucuses.


VIII. OUTSOURCING MANAGEMENT

To enhance outsourcing security, this Council shall demand contractors sign a confidentiality agreement and manage limits of authority for project personnel and dispatched personnel regarding access to all information assets.

 

  • "All units" include research rooms and service offices of all legislators and offices of all caucuses.

    1. Regulations for confidentiality agreements.

    2. Outsourcing performance appraisal.

    3. Management of personnel dispatched by service providers.

    4. Regulations for outsourcing personnel access.


IX. RISK MANAGEMENT

To effectively tackle threats, vulnerabilities and impacts that confront various information assets of this Council, this Council shall conduct risk assessment and carry out necessary risk management.

 

  • Threats refer to external security impacts posed to information assets, such as fires, floods, hacker attacks.

  • Vulnerabilities refer to influences brought about due to inadequate security controls, such as human negligence and network loopholes.

  • Risk assessment refers to the process of confirming information security during which threats and vulnerabilities for all information assets are assessed in order to generate a risk value and confirm their adequacy of control.

  • Risk management means that within an acceptable cost, factors that may affect information security are confirmed and controlled to reduce their impact.

  • Operating principles for risk assessment and management shall specify the following:

    1. Information security risk assessment procedure.

    2. Information security risk management procedure.

    3. Information security risk assessment timing


X. PHYSICAL SECURITY

A security management regulation shall be put in place to ensure the continuous operations of the computer room and the security of the operating area of information assets.

 

  • Operating principles for management of the computer room shall specify the following:

    1. Routine inspections on equipment in the computer room.

    2. Guidelines for use and management of information equipment and information media in the computer room.

    3. Access control.

  • Operating principles for management of the office area shall specify the following:

    1. Desk clearance management.

    2. Screen saver setting..

    3. Fax (machine) data management guidelines.

    4. Equipment security management.

  • Operating principles for management of general information equipment shall specify the following:

    1. Personal computer (PC) management.

    2. PC disposal