陽明山國家公園全球資訊網-英文網陽明山國家公園全球資訊網-英文網

Purpose

This policy was made for ensuring the confidentiality, integrity, and utility of the information assets under the Yangmingshan National Park Administration Office (hereinafter referred to as “This Office”) in conformity to the legal requirements of the Information Communication Security Management Act and its bylaws to the extent that the internal and external threat to the said information asset posed deliberately or accidentally could be averted.

Scope

1. This policy shall be applicable to all of This Office (including contract-based employees, outsourced service providers, volunteers, and student workers), contractors, data users (and keepers), and visitors.
2. Information communication security management covers 14 areas to avoid the improper use, divulgence, modification, and sabotage of data caused by human negligence, sabotage, or natural disasters that trigger different possible risks to This Office.

Objective

This Policy was made in an attempt to achieve the following objectives for the preservation of the confidentiality, integrity and utility of the data of This Office:

1. The buildup of a secure and reliable information operation environment for assurance of the security of the data, system, equipment, and network of This Office.
2. The protection of the business service security of This Office for assurance information could be accessed only by authorized personnel for ensuring confidentiality.
3. The protection of the business service security of This Office from unauthorized modification for ensuring the accuracy and integrity of business service.
4. The planning of business continuity of the business of This Office for assurance of the continued operation of information service provided by This Office.
5. The assurance of the business services rendered by This Office in compliance with the Information Communication Security Protection Act and its bylaws and the requirements of other applicable legal rules.
6. The protection of the security of personal information pertinent to the business of This Office from the risks of theft, modification, sabotage, missing, or divulgence caused by external threat or improper management and use of the information.
7. The upgrade of the capacity for the protection and management of personal information to reduce operational risk and creation of an environment reliable for the protection of personal information and privacy.

Responsibility

1. This Office shall establish an information communication security organization for administering the advocacy of information security matters.
2. The Management shall proactively participate and support the information communication security system and the proper pursuit of this policy through appropriate standards and procedures.
3. All of This Office (including contract-based employees, outsourced service providers, volunteers, and student workers), contractors, data users (and keepers), and visitors shall duly observe this policy.
4. All of This Office (including contract-based employees, outsourced service providers, volunteers, and student workers), contractors, data users (and keepers) shall be responsible for reporting on incidents or weakness inherent to information security through appropriate reporting mechanisms.
5. Any act of defiance causing jeopardy to information communication security shall be legally liable, civil and criminal alike depending on the severity, or subject to disciplinary action in accordance with applicable rules and regulations.

Management Indicator

1. This Office has established related management indicators for the assessment of the attainment of the objective of information communication security management with routine monitoring and control, assessment, and improvement.
2. This Office shall review the job function of the personnel in the organization for the conduct of information communication security of This Office for assurance of the proper pursuit of the work of information communication security.
3. This Office shall respond to the requirements of the competent authority and provide appropriate training pertinent to information communication security for the employees by the duties assigned and responsibilities assumed.
4. This Office shall intensify the security of the environment for the machine and facility of information and take appropriate protection and priority control mechanisms.
5. This Office shall assure no divulgence of information to any unauthorized third party.
6. This Office shall intensify access control to prevent unauthorized and improper access for assurance of appropriate protection of the information asset of This Office.
7. This Office shall seriously consider the security requirement in the development of its information communication system with a routine audit on the weakness of security.
8. This Office shall assure proper reporting to the superior of any security incident or suspected weakness of information communication security and proceed to appropriate investigation and take appropriate action.

Management Review

This Policy shall be subject to management review at least once a year to reflect the latest development of the regulatory environment, technology, and business for assurance of the capacity of This Office in sustainable development. Any feedback from the information communication security organization, competent authority (or mandatory requirements), or experts and scholars and other stakeholders pertinent to information communication security shall be put on the agenda for discussion in management review.

Pursuit

This Policy shall come into full force at the approval of the Chief Information Security Officer. The same procedure is applicable to any amendment thereto.