Skip to main content

The policy is stipulated per the “Information Security Management Directions for the Executive Yuan and its Subordinate Agencies,” “Information Security Management Regulations for the Executive Yuan and its Subordinate Agencies,” “CPAMI Information Security Policy,” as well as the needs of the Hualien County Government (hereinafter referred to as the government). To reinforce information security management, ensure information confidentiality, integrity, and availability, as well as the reliability of information equipment (including computer hardware, software, peripherals) and network systems, our colleagues’ information security awareness, and to ensure that the abovementioned resources are protected from interference, sabotage, intrusion, or any unfavorable conducts and intentions, the policy is hereby stipulated. To oversee the coordination, planning, audit, and promotion of information security management affairs, the cross-departmental IT team (hereinafter referred to as the team) has been assembled. Headed by the department’s planning manager, the team members consist of employees selected by various units within the department and approved by the director.

Agencies should allocate roles and responsibilities to relevant departments and personnel in accordance with the following directions for labor division:

  •     The discussion, establishment, and assessment of directions for information security policies, plans, and technologies should be conducted by the Planning Management Section.
  •     The department in charge of this function should be responsible for meeting the requirements regarding the discussion, management, and protection of information and information systems.

    The HR and Civil Service Ethics Office and related departments should be jointly responsible for maintaining information confidentiality and security audit.

The scope of the policy is as follows, and relevant departments and personnel should formulate related management regulations or implement information security plans, as well as evaluate implementation performance regularly:

    Personnel management, and information security education and training.

    Computer systems security management.

    Internet security management.

    System access control management.

    System development and maintenance of security management.

    Security management of information assets.

    Physical and environmental security management.

    Planning and management of sustainable operation plans.

Personnel management, and information security education and training:

    Agencies should conduct a security assessment for information-related duties and tasks, and assess the suitability of personnel during the employment process and when assigning duties and tasks. Evaluations may be conducted necessarily. Supervisors at all levels should be responsible for supervising the security of information operations conducted by agency personnel to prevent illegal and inappropriate actions.

    Agencies should conduct regular information security management education, training, and promotion, based on management needs, functions, and information, to establish the information security awareness of personnel and elevate information security standards.

Computer Systems Security Management:

    Agencies should propose information security needs when outsourcing information functions. Information security responsibilities and confidentiality directions for suppliers should be listed clearly and included in contracts for suppliers to comply with. Suppliers should be evaluated on a regular basis.

    Agencies should duplicate and utilize software, and establish software utilization management systems under relevant laws and regulations or contract regulations.

    Agencies should adopt necessary preventive and protective measures in advance to detect and prevent computer viruses and other malicious software, to ensure the normal operation of information systems.

    Agencies should establish a control system for system modification operations, and keep records for later reference and evaluation.

    Agencies should procure information software and hardware according to the national standards or government information security directions promulgated by the competent agency, and propose information security requirements to be included in the procurement specifications.

Internet Security Management:

    Agencies should carefully consider while opening information systems for external connection operations of the importance and value of data and systems, and adopt data encryption, identity authentication, electronic signatures, firewalls, security vulnerability detection, and other technologies or measures at various security levels to prevent hacking, damage, alteration, deletion and unauthorized access to data and systems.

    Agency websites connected to an external network should be equipped with a firewall and other necessary security equipment to control data transmission and resource access between external parties and the agency intranet.

    Agencies should implement a data security rating assessment system when using the Internet and global information networks to publish and distribute information. Confidential, sensitive, and private information and documents which may not be used without proper consent may not be published on the Internet.

    Agencies should promulgate e-mail usage regulations. Confidential data and documents may not be transmitted via e-mail or other electronic methods.

    To prevent network users from accidentally violating the department’s network security regulations, network administrators can consider controlling the users violating the network regulations by applying relevant network technologies, provided that the measures will not interfere with normal network usage.

System Access Control Management:

    Agencies should promulgate system access policies and authorization directions, and inform staff and users about the relevant authority and responsibilities via written communication, e-mail, or other methods.

    Agencies should terminate the information and resource access authority of the staff members who have resigned or are on leave, and include this as a mandatory procedure in the resignation and leave the application process. The access authority for agency personnel whose functions have been revised or transferred should be adjusted before the stipulated deadline and in accordance with the directions for system access authorization.

    Agencies should establish a user registration administration system to enhance the management of user passwords, and request users to update passwords regularly, which should not exceed six months.

    Agencies should enhance security control and create a list of system service provider personnel who conduct system maintenance by remote login, to monitor them with relevant security and confidentiality responsibilities.

    Agencies should establish a system audit plan and an information security audit system. Information security audits should be conducted on a regular or irregular basis.

System Development and Maintenance of Security Management:

    Agencies should consider information security requirements during the initial phase of the system’s life cycle when developing systems independently or outsourcing system development. Security control should be established for the maintenance, update, online implementation, and version control to prevent improper software, trapdoors, and computer viruses from damaging the system’s security.

    Agencies should prescribe standards and restrictions on the scope of systems and data that suppliers’ software/hardware system development and maintenance personnel come in contact with, and strictly prohibit the issuance of long-term system identification and access passwords. Agencies may issue short-term and temporary system identification and access passwords for suppliers, based on actual operational needs. However, access authority should be terminated immediately upon completion of duties.

    Suppliers should only begin the construction and maintenance of important software and hardware for outsourced projects under the supervision and accompaniment of agency personnel.

Security Management of Information Assets

    Create an IT system-related asset catalog, as well as stipulate the items of information assets, their owners, security level, and categorization standards, etc.

    Establish information security level and categorization level per The Classified National Security Information Protection Act, Computer-Processed Personal Data Protection Law, and The Freedom of Government Information Law, as well as relevant protection measures.

     Information already categorized according to security level and information from the system should be labeled with the appropriate security level to ensure user compliance.

Planning of Sustainable Function Operations:

    Agencies should promulgate a sustainable operation plan for agency functions, assess the impact of man-made and natural disasters on normal agency operations, establish emergency response and recovery procedures, prescribe the responsibilities of relevant personnel, conduct drills, and adjust and update plans regularly.

    Agencies should establish an emergency management system for information security incidents. Emergency security incidents should be managed by following the prescribed procedures and reported to the competent department or personnel immediately. Response measures should be adopted, and prosecution, police, and investigative department should be contacted to assist investigations.

    Agencies should establish and differentiate data security ratings under relevant laws and regulations, and adopt appropriate and sufficient information security measures. This information security policy should be reassessed at least once a year in consideration of the latest developments in government regulations, technologies, and functions, and to ensure the effectiveness of information security operations. The information security policy must be approved by the director before implementation, and the same principle applies to any revisions done to the policy.