I.. Purpose Setting up this policy to protect the public's rights, Shei-Pa National Park Headquarters attempts to enhance information security management, assure the safety of data, system, facility, and internet, and then construct a safe and trustworthy electronic government.
- The policy is established and examined by the highest administrative level of the Headquarters.
- The policy is carried out by the information security manager through the proper standard, procedure, and control measure.
- All staff of the Headquarters, contract companies, and the third party must obey the standard, procedure, and control measure regulated in the policy.
- In case of any activities intentionally posing danger to our information security, the Headquarters will take necessary legal action.
III. In order to overall coordinate and drive the information security management, the cross-sectoral information security improvement team is set up. The information section is in charge of the team's work.
IV. On the basis of the following division principle, responsible sections and personnel are given different duties:
- The information section is responsible for studying, building, and evaluating the information security policy, plan, and technique regulation.
- The business section is responsible for discussing, managing, and protecting the security need of the information and information system.
- The Civil Service Ethics Section, along with related sections, is responsible for confidential information protection and information security check-up.
V. The scope of the policy is as follows. Based on the following categories, responsible sections and personnel should make related management regulations or execution plan, regularly evaluating the effects.
- Personnel management and educational training of information security
- Computer system security management
- Internet security management
- System access control
- Application system development and security management maintenance
- Information property security management ‘
- Solid object and environmental safety management ‘
- Plan and management of sustainable business operation
VI. Personnel management and educational training of information security
- Security evaluation should be executed in the aspect of works related to information. It is also necessary to carefully estimate the applicability of the personnel when employing and assigning them certain missions.
- On different types of works like management, business, and information, it is necessary to regularly hold the educational training and promotion of information security, construct the awareness of information security for employees, and elevate the standard of information security.
VII. Computer system security management
- In outsourcing information affairs to a company, it is a must to address information security requirements in advance, regulate the responsibility of information security and non-disclosure clauses applicable to the company, and draw up a contract to ask the company to obey and face regular check-ups.
- It is required to duplicate and use any software in accordance with related regulations or contract, so as to build a management system of software usage.
- In order to assure that the system can function normally, it is necessary to adopt beforehand prevention and protection measures, inspect and stop computer viruses and other vicious software.
- In purchasing software and hardware facilities, it is a must to address information security requirements and list procurement standards on the basis of the national standard or the governmental information security regulations set up by the responsible section.
VIII. Internet security management
- Based on the importance and value of data and system, the information system that allows the external world to be connected with should adopt techniques and measures of different security ranks, such as information encryption, ID identification, electronic signature, firewall, and security leak inspection, with a view to preventing the data and system from being invaded, damaged, altered, deleted, and downloaded without permission. /li>
- The internet address opened to be connected from the external world should control the information transmission and access between exterior and interior network in some necessary security measures like firewall.
- The information security ranks should be used in making public and transmitting the information through internet and World Wide Web. The classified, sensitive, and personal privacy information and documents without permission must not be made public online.
- The e-mail usage regulations should be drawn up to stipulate that the classified information and documents not be transmitted by e-mail or other electronic ways.
IX. System access control
- The system access control policy and authorization regulations should be set up. Employees and users should be informed of related limits of authority and responsibilities.
- Employees who leave office or take vacations should be immediately taken away all limits of authority for every kind of information resource, a measure that should be listed in necessary procedures for those leaving office or taking vacations. Employees whose posts are changed or modified should be given new limits of authority within a certain period of time.
- It is necessary to build the register control system of system users and enhance the management of users' passwords and update period that should not be over six months.
- As for the system maintenance personnel who log on from the system service company, it is required to enhance the security control, build their name list, and grant them with related non-disclosure responsibilities.
- Constructing an information security check-up system is a must, in which regular or irregular check-ups are executed.
X. Application system development and security management maintenance
- It is necessary to take information security into consideration when the system, whether developed by ourselves or outsourced to other system companies, begins initially. The maintenance, update, online execution, and version change of the system should be specially controlled and protected, in order to avoid vicious software, trapdoor, and computer viruses from damaging the system.
- The system company's personnel in charge of constructing and maintaining software and hardware systems should be regulated and restricted within a certain range about the system and information accessible to them. Particularly it should be forbidden to issue the long-term system identification code and password. If needed in practice, the short-term and temporary system identification code and password could be given to the system company, but should be cancelled right after finished.
- When commissioning a system company to construct and maintain the important software and hardware facilities, the related personnel in the Headquarters should supervise the whole process.
XI. Information property security management
- It is necessary to build the information property catalogue related to the information system and to stipulate the information property items, the owner, and the classification of security ranks.
- It is necessary to build the classification standard of the information security ranks and corresponding protection measures on the basis of related regulations like national secrets protection law, computer personal data protection law, and government information openness law.
- The output data of the information and system classified in security ranks should be marked with the proper security ranks, according to which users can abide by.
XII. Solid object and environmental safety management
- The solid object and environment safety management measure should be stipulated, applicable to the facility installment, surrounding environments, and personnel access control.
XIII. Plan and management of sustainable business operation
- The plan of sustainable business operation should be drawn up in order to evaluate all kinds of artificial and natures disasters. The procedure of emergency measure and restoration work and the limits of authority for related personnel should be clearly drawn up, regularly rehearsed, and timely modified by a new plan.
- The emergency operation mechanism of information security should be set up. When an information security event occurs, on the basis of regulated procedures, it is required to immediately report it to the information section or responsible personnel, take responsive measures, and contact law enforcement agency to assist the inspection.
- It is necessary to set up and differentiate the information security rank in accordance with related regulation and to adopt appropriate and sufficient information security measures in accordance with different security ranks.
XIV. Information security check-up
- Regular or irregular check-up should be done to the internal and external information security.
- It is a must to establish the check-up category and content based on the business element of the Headquarters and to set up the related check-up plan or operation procedure.