|I. Establishment of Information Security Policy |
Information security policy should be maintained by designated persons or units, with the information security organization carrying out necessary evaluation and adjustment on a regular basis so as to maintain the appropriateness and effectiveness of information security policy.
The Ministry of Transportation and Communications (MOTC) has established information application systems, in accordance with the stipulations of the "Information Management Rules for the Executive Yuan and Its Subordinate Agencies," "Information Security Management Guidelines for the Executive Yuan and Its Subordinate Agencies," and the "Personal Information Protection Act," and in consideration with the operational needs of the MOTC, in order to reinforce its information security management.
This policy applies to personnel within the MOTC's organizational allocation, contract personnel, transferred personnel, outsourcing companies, and all related information assets and agencies with online operations linked to the MOTC, and is made known to the public via written, electronic, or other means, with the expectation that it will be observed by all so as to protect the security of information collection, processing, transmission, storage, and circulation.
The nature of information security can be classified into three types:
- Confidentiality: Information assets are graded as to the degree of its confidentiality, and is given the standards and protection appropriate to that degree of confidentiality.
- Integrity: The integrity of all information assets is protected so that it may be appropriately utilized by the organization.
- Availability: Timely and accurate services are assured for all items of information assets in order to satisfy the needs of users.
II. Information Security Policy Goals
Goals are established in accordance with the security policy described above to serve as indexes for the maintenance of information security.
- Assurance of information availability and integrity, and protection of the right of the people to use transportation facilities.
- Assurance of information confidentiality, and protection of the privacy of the information of online agencies and the public.
- Assurance of information accuracy, and assurance of the quality of information systems used by online agencies and the public.
III. Responsibilities and Obligations
- A permanent organization in overall charge of information security operations.
- The latest and most accurate list of information assets.
- Demarcation of use and authority that conforms to security regulations, appropriate provision of training in information security, and provision of information to personnel of reporting procedures for security incidents.
- Establishment of protection measures, security equipment, and general control principles for tangible assets.
- Security control measures for communications and information operations.
- Clear and appropriate control procedures for information storage and retrieval.
- Software development and maintenance encompassed within security considerations.
- Continuous operation of organizational functions.
- Establishment of an information and communications security auditing system and implementation of internal auditing for information and communications security so as to assure the security of MOTC information.
- Assurance of security conformity by operations outsourced from the MOTC, establishment of related control mechanisms, and implementation of outsourcing management.
- Conformity with policy of communications and information operations.
IV. Review and Revision of Information Security Policy
- The information security organization should provide clear directions for the timely revision of this policy so as to assure that the policy meets current needs.
- Ranking MOTC officials should participate actively in information security management activities, give information security their support and commitment, and re-examine this policy when necessary.
- Personnel should carry through with the requirements of this policy through appropriate procedures.
- All of the personnel within the MOTC's organizational allotment, contract personnel, transferred personnel, outsourcing service companies, and all agencies that are related to information assets that are online with the MOTC must observe this policy.
- All related MOTC personnel should report, through appropriate reporting mechanisms, any information security incidents or weaknesses which they discover.
- Any MOTC employee who fails to observe this policy or who engages in any behavior that threatens the security of MOTC information will be subjected to appropriate punishment or legal action.
- All related MOTC personnel must sign a secrecy protection agreement and understand that all information obtained during employment with the MOTC is MOTC assets and may not be utilized for other unauthorized purposes.
This policy is maintained by designated personnel or a designated unit, with the information security organization carrying out necessary review and adjustment on a regular basis so as to maintain the appropriateness and effectiveness of the information security policy.
This policy should be revised by the information security organization on a regular basis once a year or in accordance with changes in the MOTC's organization, functions, or environment, with the revision being implemented, following approval, so as to conform to current conditions.