Security Policy of the Freeway Bureau

I. Purpose of this Document
This document sets forth the policies and management objectives of the Information Security Management System (ISMS) and Privacy Information Management System (PIMS), which have been integrated and hereinafter referred to as the ISMS, for the Freeway Bureau and its affiliated agencies (hereinafter referred to as the Bureau). This document will serve as the operational guidelines for the Bureau's information security and privacy activities to ensure the implementation of the system comply with Cyber Security Management Act, Personal Information Protection Act, international standards relevant to information security and the requirements the Bureau.

II. Scope
All Bureau staff (including full-time, seconded personnel and contractors), vendors (including stationed personnel) and visitors. 

III. Policy and Objectives
1. Information Security Policy
"To enhance the quality of information services, protect personal privacy and its security, and to ensure the confidentiality, integrity and availability of the information assets."
2. Information Security Policy Requirements 
The Bureau shall establish a cross-departmental information security task force responsible for the coordination, planning, auditing, and promotion of information security management affairs. The Information Security Task Force Convener shall ensure that the information security policy and objectives are established and are compliant with the strategic direction and vision of the Bureau.
3. Information Security Management Objectives 
(1). Information security is one of the elements to fulfill the Bureau's statutory duty. The Bureau shall maintain high level of information security, in order to ensure the confidentiality, integrity and availability of information assets.
(2). Maintain the consistency of information security in the operating environment of the Bureau, taking into account information security and information sharing.
(3). All information security regulations shall comply with the relevant laws, regulations and policy requirements by the Government .
(4). All information activities related measures shall ensure the information security of the Bureau and prevent the leakage or loss of sensitive and confidential information.
(5). Plan and provide appropriate security measures for personal data to ensure the Bureau can fulfill its duty of care.
(6). Properly protect information assets (including software, hardware, network communication facilities and databases, etc.), implement appropriate recovery facilities and activities, to prevent damages to information caused by unauthorized access or negligence, and periodically rehearse aforementioned recovery activities.
(7). Regularly implement information security and personal data protection education and trainings, and reinforce information security policy promotion.
(8). Projects that related to information systems or services, information security and personal data privacy impacts should be taken into consideration from the planning stage, and appropriate management measures should be established to ensure that relevant information is properly protected.
4. Information Security Management Indicators 
The Bureau will establish effectiveness matrix for the information security management system based on nature of the businesses, from confidentiality, integrity, availability, privacy and compliance aspects, and after deliberation at the management review meetings. The quantitative indicators will be used to manage the implementation of the policy.
5. Establishment and implementation of the Information Security Management System
(1)The Bureau's information security task force shall establish and maintain ISMS, promote and manage the implementation of ISMS, monitor and evaluate the performance of ISMS implementation, and improve ISMS in accordance with the requirements of the policies and objectives.
(2)The Information Security Task Force shall review and revise the applicability statement of information security control measures annually in accordance with ISO 27001 requirements and submit the document to the Management Review Meeting for review and approval before implementation, and also submit the document to management review committee meetings for future reference.

IV. Responsibilities
1. The Bureau shall establish an Information Security Task Force to coordinate promotion of relevant management system activities.
2. The management level shall actively engage in and support the management system and implement this policy through appropriate standards and procedures.
3. All Bureau staff (including full-time, seconded personnel and contractors), vendors (including stationed personnel) and visitors shall abide by this policy.
4. It is the responsibility of all Bureau staff and outsourced vendors working in the Bureau to report on information security incidents or vulnerabilities through an appropriate reporting mechanism.
5. Depending on severity of the actions that compromise information security and the protection of personal information, the individual will be subject to civil, criminal, civil and administrative liabilities or disciplinary actions in accordance with the Bureau's provisions.
6. Vendors and personnel working for the Bureau shall sign a confidentiality agreement, comply with the provisions of this policy and relevant procedures, and not use any types of the Bureau's information assets and personal data without authorization. This restriction does not apply if outsourced items are not relevant to information security.

V. Enforcement and Revisions
1. This policy is updated regularly by the Bureau's Information Security Task Force or revised adequately in response to changes in organizational structure, business scope, laws and regulations or the environment. The policy is enforced upon approval by Bureau's Director General, and is reported at the Management Review Meeting to ensure its continuous appropriateness, relevance and effectiveness
2. This policy shall be disseminated through a public announcement process to inform Bureau staff and relevant personnel of the provisions pertaining to information security policy.

VI. Information Security Policy Exception Management
For specific operational controls that need to be exempted from the information security policy due to legal compliance, technical capabilities and cost-effective considerations, application and approval processes based on hierarchical responsibility must be followed to maintain the flexibility and integrity of the information security management system.