Information Security Policy
Policy MotiveThis security policy shall serve as a basis to be followed in abiding to related regulations and in safeguarding the information assets of the National Immigration Agency (information assets include but not restricted to information, software, and hardware facility) against risk from being tampered, exposed, destroyed, or lost due to external threat or mismanagement and misuse of internal staff.
BasisThe Information Security Policy (hereinafter referred to as the Policy) drawn up based on the mission and objective of the National Immigration Agency and in accordance with related laws and regulations such as "Information Security Management Essentials of the Executive Yuan and Its Subordinating Agencies", "Information Security Management Standard of the Executive Yuan and Its Subordinating Agencies", and the "Personal Information Safeguard Act and Enforcement Rules."
1. The Essence of Information Security
The essence of information security is roughly classified as follows:
(1) Availability
To ensure that various information assets are provided instantly and accurately in order to meet users' needs.
(2) Integrity
Information assets are classified according to its importance and safeguarded appropriately to ensure the integrity of information assets.
(3) Confidentiality
Proper grading of data confidentiality and be given a properly standard and protection according to grade of confidentiality.
The information security of the National Immigration Agency is to ensure the integrity, availability, and confidentiality of all the information assets of the National Immigration Agency.
2. Purpose of Policy and Description
In order to achieve the mission and objective of the National Immigration Agency, to meet the expectation and requirement of the highest management level on information security, and to ensure that all the information assets of the National Immigration Agency is secured, the purpose of drawing up the information security policy of the National Immigration Agency is as follows:
(1) To ensure the confidentiality of the relevant business information of the National Immigration Agency, prevent the sensitive data of the Agency and personal data of the people from leaking and get lost.
(2) To ensure the integrity and availability of relevant business information of the National Immigration Agency, in order to carryout the work of the National Immigration Agency and its various businesses.
(3) An integrated, feasible, and effective Information Security Management System (hereinafter referred to as ISMS) was created by the Policy based on the necessity of organizational development and by taking information asset risk into account, in which asset risk underwent systemized risk evaluation, handled and managed in accordance with the evaluation result, and a written procedure was also created for various plans, operation, and control process of information security, in order to provide optimum assurance to the information security of the National Immigration Agency. The information policy is evaluated at least once a year in order to keep up with the changes of the law and the development of technology and related business. Thus, the effectiveness of information security is guaranteed.
3. Objective
In order to achieve the objective mentioned above, related objective is divided into quantitative and qualitative:
(1) Quantitative objective includes:
To ensure that the year-round service of the National Immigration Agency is more than 99.95% feasibility (year-round interruption less than 4 hours).
To ensure that information security leaking cases handled year-round is less than 3 cases.
To ensure that relevant information security measures or standards meet with the requirements of the policy or existing laws and regulations, and conduct inspection at least once every half-year.
Protection and test for the lasting and feasibility operation of the plan, conduct test at least once a year.
Creating an information asset risk evaluation system, conduct risk evaluation at least once a year.
To ensure the staff is equipped with information security knowledge, the staff, according to job position, must get a certain number of hours of professional training per year, as follows: a minimum of 4 hours for department chiefs and general staff, a minimum 6 hours for section chiefs, and a minimum 18 hours for technicians.
The ISMS is applied in the following areas:The applied areas of Information Security Management System includes: information documents, computer systems, related computer equipment and computer rooms.
1. Information documents: documents in the database, data files, system planning, system design, manuals, contracts, training materials, standard procedures and related work agreements.
2. Computer system: includes computer operating systems, applied information systems, system development tools, package software, and utilities.
3. Staff: Includes internal staff and external visitors.
4. Physical areas: includes computer rooms, office areas, and equipment installation rooms.
5. Hardware equipment:
a Computers: includes servers, portable computers and personal computers.
b Communication equipment: hubs, routers, switches, transmission lines, modems, and fax machines.
c Storage media: removable hard drives, magnetic tape drives, diskettes, compact disks, PKI cards and identification sensor cards.
d Other: UPS, printers, scanners, burners and air conditioners and security codes.
Division of AuthorityFor the efficient operation of the ISMS, the authority of each unit is as follows:
1. To ensure that information security measures receive actual support from the management level, all the high management chiefs of the Immigration Office (director, vice director, and chief secretary) should swear their determination of carrying out information security, and should instruct related units and staff to form an information security implementation team, in order to allocate information security responsibility for efficient resource management.
2. Members of the information security implementation team should actively participate in the various activities of ISMS. The convener and vide convener of the team should give supports and commitments to ISMS, and ensure that the Policy meets with the mission of the Immigration Office and the requirements high management level chiefs.
3. The convener of the information security implementation team is also the information security representative of the Immigration Office. In the event that the convener is unable to participate in various information security activities, the vice convener shall act on his/her behalf.
4. Every units of the Immigration Office should carryout the requirement of the Policy through proper procedures.
5. All the staff (including contracted personnel), all the link using units, contracted companies, and commissioned companies should abide to the Policy.
6. All the staff (including contracted personnel) is liable to reporting all the information security incidents or information security weak points discovered.
Other Regulation
1. Proper procedure or legal action shall be taken to all the staff (including contracted personnel) of the Immigration Office who had violated the Policy or acted in any way that had endangered the information security of the Immigration Office.
2. All the staff (including contracted personnel) of the Immigration Office should understand that all the information obtained at work is the asset of the Immigration Office. Using any information without authorization is strictly prohibited.
3. Stipulations and related requirements of the Policy should be abided during the signing of contract with commissioned companies.
AmendmentThe Policy should be evaluated at least once a year and reflect the latest development and situation of government laws and regulations, technique, and business, to ensure the validity of information security.