Skip to main content
MoblieMenu
search
Search
Advanced Search
News
Latest News
Trail Opening Status
Recreation & Hiking
Wenshui Visitor Center
Wuling Recreation Area
Guanwu Recreation Area
Xuejian Recreation Area
Climbing Itinerary
Safety Reminder
Conservation
About Shei-Pa
Life in the park
The people of the park
Videos
Administration
Message from the director
Organizations
Regulations
FAQ
TopLink
Home
Site Map
Facebook
Directors Mail
Chinese
Japanese
FooterLink
Privacy Protection Policy
Information Security Policy
Entry Permit
Share
Facebook
Plurk
Twitter
line
Email
:::
Shei-Pa National Park Headquarters, National Park Service, Ministry of the Interior
Shei-Pa National Park Headquarters, National Park Service, Ministry of the Interior
TopLink
Home
Site Map
Facebook
Directors Mail
Chinese
Japanese
Font Size
small
medium
Large
Share
Facebook
Plurk
Twitter
line
Email
translate
News
Latest News
Trail Opening Status
Recreation & Hiking
Wenshui Visitor Center
Wuling Recreation Area
Guanwu Recreation Area
Xuejian Recreation Area
Climbing Itinerary
Safety Reminder
Conservation
About Shei-Pa
Life in the park
The people of the park
Videos
Administration
Message from the director
Organizations
Regulations
FAQ
Search
search
Search
Advanced Search
Keywords
More
:::
Web Services
:::
Home
Web Services
Information Security Policy
Share
Facebook
Plurk
Twitter
line
Email
Web page function
[Open a new window]Print Content
Information Security Policy
Information Security Policy
I.. Purpose Setting up this policy to protect the public's rights, Shei-Pa National Park Headquarters attempts to enhance information security management, assure the safety of data, system, facility, and internet, and then construct a safe and trustworthy electronic government.
II. Responsibility
The policy is established and examined by the highest administrative level of the Headquarters.
The policy is carried out by the information security manager through the proper standard, procedure, and control measure.
All staff of the Headquarters, contract companies, and the third party must obey the standard, procedure, and control measure regulated in the policy.
In case of any activities intentionally posing danger to our information security, the Headquarters will take necessary legal action.
III. In order to overall coordinate and drive the information security management, the cross-sectoral information security improvement team is set up. The information section is in charge of the team's work.
IV. On the basis of the following division principle, responsible sections and personnel are given different duties:
The information section is responsible for studying, building, and evaluating the information security policy, plan, and technique regulation.
The business section is responsible for discussing, managing, and protecting the security need of the information and information system.
The Civil Service Ethics Section, along with related sections, is responsible for confidential information protection and information security check-up.
V. The scope of the policy is as follows. Based on the following categories, responsible sections and personnel should make related management regulations or execution plan, regularly evaluating the effects.
Personnel management and educational training of information security
Computer system security management
Internet security management
System access control
Application system development and security management maintenance
Information property security management ‘
Solid object and environmental safety management ‘
Plan and management of sustainable business operation
VI. Personnel management and educational training of information security
Security evaluation should be executed in the aspect of works related to information. It is also necessary to carefully estimate the applicability of the personnel when employing and assigning them certain missions.
On different types of works like management, business, and information, it is necessary to regularly hold the educational training and promotion of information security, construct the awareness of information security for employees, and elevate the standard of information security.
VII. Computer system security management
In outsourcing information affairs to a company, it is a must to address information security requirements in advance, regulate the responsibility of information security and non-disclosure clauses applicable to the company, and draw up a contract to ask the company to obey and face regular check-ups.
It is required to duplicate and use any software in accordance with related regulations or contract, so as to build a management system of software usage.
In order to assure that the system can function normally, it is necessary to adopt beforehand prevention and protection measures, inspect and stop computer viruses and other vicious software.
In purchasing software and hardware facilities, it is a must to address information security requirements and list procurement standards on the basis of the national standard or the governmental information security regulations set up by the responsible section.
VIII. Internet security management
Based on the importance and value of data and system, the information system that allows the external world to be connected with should adopt techniques and measures of different security ranks, such as information encryption, ID identification, electronic signature, firewall, and security leak inspection, with a view to preventing the data and system from being invaded, damaged, altered, deleted, and downloaded without permission. /li>
The internet address opened to be connected from the external world should control the information transmission and access between exterior and interior network in some necessary security measures like firewall.
The information security ranks should be used in making public and transmitting the information through internet and World Wide Web. The classified, sensitive, and personal privacy information and documents without permission must not be made public online.
The e-mail usage regulations should be drawn up to stipulate that the classified information and documents not be transmitted by e-mail or other electronic ways.
IX. System access control
The system access control policy and authorization regulations should be set up. Employees and users should be informed of related limits of authority and responsibilities.
Employees who leave office or take vacations should be immediately taken away all limits of authority for every kind of information resource, a measure that should be listed in necessary procedures for those leaving office or taking vacations. Employees whose posts are changed or modified should be given new limits of authority within a certain period of time.
It is necessary to build the register control system of system users and enhance the management of users' passwords and update period that should not be over six months.
As for the system maintenance personnel who log on from the system service company, it is required to enhance the security control, build their name list, and grant them with related non-disclosure responsibilities.
Constructing an information security check-up system is a must, in which regular or irregular check-ups are executed.
X. Application system development and security management maintenance
It is necessary to take information security into consideration when the system, whether developed by ourselves or outsourced to other system companies, begins initially. The maintenance, update, online execution, and version change of the system should be specially controlled and protected, in order to avoid vicious software, trapdoor, and computer viruses from damaging the system.
The system company's personnel in charge of constructing and maintaining software and hardware systems should be regulated and restricted within a certain range about the system and information accessible to them. Particularly it should be forbidden to issue the long-term system identification code and password. If needed in practice, the short-term and temporary system identification code and password could be given to the system company, but should be cancelled right after finished.
When commissioning a system company to construct and maintain the important software and hardware facilities, the related personnel in the Headquarters should supervise the whole process.
XI. Information property security management
It is necessary to build the information property catalogue related to the information system and to stipulate the information property items, the owner, and the classification of security ranks.
It is necessary to build the classification standard of the information security ranks and corresponding protection measures on the basis of related regulations like national secrets protection law, computer personal data protection law, and government information openness law.
The output data of the information and system classified in security ranks should be marked with the proper security ranks, according to which users can abide by.
XII. Solid object and environmental safety management
The solid object and environment safety management measure should be stipulated, applicable to the facility installment, surrounding environments, and personnel access control.
XIII. Plan and management of sustainable business operation
The plan of sustainable business operation should be drawn up in order to evaluate all kinds of artificial and natures disasters. The procedure of emergency measure and restoration work and the limits of authority for related personnel should be clearly drawn up, regularly rehearsed, and timely modified by a new plan.
The emergency operation mechanism of information security should be set up. When an information security event occurs, on the basis of regulated procedures, it is required to immediately report it to the information section or responsible personnel, take responsive measures, and contact law enforcement agency to assist the inspection.
It is necessary to set up and differentiate the information security rank in accordance with related regulation and to adopt appropriate and sufficient information security measures in accordance with different security ranks.
XIV. Information security check-up
Regular or irregular check-up should be done to the internal and external information security.
It is a must to establish the check-up category and content based on the business element of the Headquarters and to set up the related check-up plan or operation procedure.
XV. This policy is evaluated at least once a year, for the purpose of reflecting the latest development of the governmental laws, technique, and business affairs, so as to make sure the validity of the information security operation.
XVI. This policy takes effect from its publication.