Jungli City, Taoyuan County, City Hall Information Security Management

96 of the Republic of China on August 24 Letter No. 0960045216

【I、Basis】

This management is made up according the Executive Yuan Letter No. 34735 at 88 of the republic of China on September 15 about Executive Yuan and affiliated agencies Information Security Management.

【II、Information security policy】

1. The purpose

In order to protect the information from the internal or external, the threat of deliberate or accidental, the maintenance of information systems and security equipment to provide fast and reliable information service.

2. Goal

a.To ensure IT application platform’s data confidentiality and privacy and to prevent illegal use and access to occurrence of events.
b. The application of the information platform to provide continuous services, funded as a result of the incident led to an information application platform service came to a standstill each time shall not be more than 8 hours.

3. Responsibility

a. Set up an inter-unit information security group, convened by the mayor, deputy convened by deputy mayor, manager of the planning office of the Executive Secretary and the other unit’s Information Security Management of comprising representatives responsible for information security management system to establish, maintain and improve the planning information Responsibility for the safety and effective management of resources.
b. The present staff (including official staff, hiring staff and temporary staff), the maintenance contractors and business partners of server and host PC should comply with the policies and other information related to the safety agreements.
c. Staff did not follow the policy or do the exercise of any other threat to the security of the information, will be appropriate to resort to legal action or punishment.

4. Event notification process

According to the national information and communication security and emergency communications’ report processes (see the attachment).

【III、Plan of Implementation 】

1. Division of Security responsibilities

a. Information security policies, plans and technical specifications of the measures discussed, security technology research, evaluation and deployment-related issues are handling by planning office.
b. The discussing of data and information systems security level, user privileges ….etc are handling by practical units and planning unit.
c. The safeguard confidential and audit management are handling by civil service ethics office and the relevant units.
d. Personnel using of safety assessment are handling by the employers and personnel office.
e. Information security and asset management are handling by the general affairs office.
F. Emergency drills and testing process are handling by the planning office.
g. Information security audit works are checked regularly by planning and civil service ethics office.

2. Management and information security education and training.

a. In dealing with sensitive, confidential information and as a result of the work needed to be given to the administrative permissions should be appropriate division of powers and responsibilities of the scattered, depending on the need for mutual support personnel system.
b. For the off staff, according to the official process of off staff processing procedures and cancel the use authority of all system resources.
c. For different levels, conduct information security education, training and advocacy depending on the actual needs to promote the importance of the possible security risks and raise awareness of information security. Let they obey the provisions of security.
d. Every director of affairs is responsible for the supervision of their staff’s information security operation to prevent illegal and improper conduct.

3. Computer system security management

a. The establishment of information systems and facilities management change notification mechanism so as to avoid creating security loopholes in the system.
b. Based on computer processing of personal data protection law of the relevant provisions of care and protection of personal information.
c. To establish redundant systems facilities, implement the necessary information on a regular basis, back up and keep the software in different places, to that in the event of disasters or storage media failure can be quickly returned to normal operations.

4. Network security management

a. When the present network connects with the outside network, the firewall should be set up and manage the network of internal and external data transmission and access to resources and implement rigorous identity identification operations.
b. The confidentiality and sensitive information or documents shall not be stored in the information system opening to the external network. Confidential documents can not E-mail, FTP, MSN, Skype, P2p and other similar transmission. If it is necessary to transmits sensitive information by electronic, it must be encrypted, has electronic signatures and other security technology before transmission.
c. Assess carefully the opening up to external network between the operation of the transmission data.
a. d. Establish a warning system that allows network managers in the specific network security incidents, the timely warning signals so that the benefit to take effective preventive measures to reduce the incidence of network security.

5. System access control management

a. As the needs of the operating system and security management to set a password, change the process and make a record.
b. When sign in the system, the staff at all levels should access the system by implementing tasks needs. The permissions on the account and password is set up and update regularly by the system administrators.
c. If necessary to establish data by outsourcing companies, whether it is inside or outside the city hall, outsourcing companies are required to sign the appropriate provisions of security control to prevent data theft, tampering and sell, such as leakage and improper back-up things from happening.

6. The safety of systems development and maintenance management

a. The information security is concerned in information systems planning needs analysis phase. System maintenance , updates, and implementation of the online version of the operating changes should be security control to prevent improper software, unlicensed prostitute and computer systems against viruses and other security.
b. When IT affairs outsourcing, it should be carefully assessed in advance to prevent the potential security risk. And it must set out the responsibilities of information security and confidentiality of the manufacturers and included in the contract and ask the manufacturers to comply with.
c. The outsourcing of software and hardware systems and building maintenance personnel should regulate and restrict their access and scope of the information. After the use of it’s authority, the permission shall be abandon immediately.
d. Use every software base on the relevant provisions of intellectual property rights.

7. Information assets security management

a. Establish a directory of the information system and related assets. The assets shall not be carry out the office.
b. In order to prevent possible improper actions, unauthorized personnel should prohibited to work alone in the office.
c. Computer equipments must be fitted with anti-virus software and updates the real-time virus code and notice to-date information about the virus.
d. Personal documents archived should be used to develop security protection. If required to sharing on network, it must provide encryption to protect.

8. Physical environment and safety management

a. System server and equipments should be placed in the host room and manage by the planning office. Related to non-members should be controlled to in and out the room.
b. Host room should install the appropriate security detection and control equipment and safety equipments should be regularly checked.
c. The backup equipment and media should be stored in the place with safe distance away.

9. Operation of the business continuity plan management

a. Assess a variety of natural and man-made disasters on the normal operation of the business impact, and if, if necessary, adjust the plan.
b. In accordance with relevant laws and regulations to distinguish between the information level, and in accordance with different levels to take appropriate and adequate information on the measures.

【IV、Other 】

a. Civil service ethics office sets up information security audit points (including the contents of the audio, the results of the audit, staff, .etc.). And regular checking of information security issues for the case.
b. Detail information about the safety of operations by standardizing information security powers and responsibilities of the reference units please investigate the “Executive Yuan and affiliated agencies of information security management norms”.