Security Policy

Security Policy of the Freeway Bureau

I. Purpose of this Document
This document sets out the Information Security Policy, as well as its objectives and requirements for the Information Security Management System of the Freeway Bureau, including auxiliary units (the "Bureau"). Serving as the operating guidelines, this document is in place to ensure the implementation of the comprehensive management and the compliance with the needs of the Bureau, Information Security Management Act and the requirements set forth by international standards related to information security.

II. Scope
All staff (including seconded staff), outsourcers (including stationed personnel) and visitors. 

III. Policy and Objectives
1. Information Security Policy
"To enhance the quality of information services, protect personal privacy, and to ensure the confidentiality, integrity and availability of the information asset."
2. Information Security Policy Requirement 
The Bureau shall set up an inter-departmental Information Security Task Force, where high-level executives convene regular Management Review Meetings to  examine our information security policy.
The convener of the Information Security Task Force shall ensure that the information security policy and objectives are established and are compatible with the strategic direction of the Bureau. 
3. Information Security Management Objectives 
(1). Information security is one of the element for regulator compliance. The Bureau shall maintain high level of information security, in order to ensure the confidentiality, integrity and availability of information assets.
(2). Maintain the consistency of information security in the operating environment of the Bureau, taking into account information security and information sharing.
(3). All information security regulations shall comply with the relevant laws, regulations and policy requirements by the Government .
(4). All process related measures shall ensure the information security of the Bureau and prevent the leakage or loss of sensitive and confidential information.
(5). Plan and provide appropriate security measures for personal data to ensure the Bureau has to fulfill the obligation of good management. .
(6). Appropriate protection of information assets (including software, hardware, network communication facilities and databases, etc.), deploy appropriate recovery facilities and plan, to prevent unauthorized or negligent damage to information assets. Also periodically perform the recovery plan.
(7). Regularly implement information security and personal data protection awareness training, and enhance information security policy advocacy.
(8). Projects that related to information system or service, information secutity and privacy impact should be taken into consideration from the planning stage,  and appropriate management measures should be established to ensure that relevant information is properly protected.
4. Information Security Management Indicator 
Based on the nature of the business, the Bureau will consider confidentiality, integrity, availability, privacy, and legality, to develop a quantitative indicators of information security management which is approved by Management Review Meeting, to measure the effectivness of this policy. 
5. Stipulation and implementation of the Inforamtion Security Management System
The Information Security Task Force shall annually review and revise the applicability statement of information security control measures in accordance with ISO 27001 requirements and submit it to the Management Review Meeting for consideration.

IV. Responsibilities
1. The Bureau shall set up an Information Security Task Force to facilitate the coordination of relevant matters in the management system.
2. The management level shall actively engage in and support the management system and implement this policy through appropriate standards and procedures.
3. All Bureau staff (including seconded staff), outsourcers (including stationed staff) and visitors shall abide by this policy.
4. It is the responsibility of all staff and outsourced vendors working in the Bureau to report on information security incidents or vulnerabilities through an appropriate reporting mechanism.
5. Any persons whose actions compromise information security and the protection of personal information will be held liable under criminal, civil and administrative laws according to the seriousness of the case or punished in accordance with relevant provisions of the Bureau.
6. The vendor and  outsourced personnel (units) of the Bureau shall sign a confidentiality agreement and comply with the provisions of this policy and related procedures . Users shall not use any information assets and personal data of the Bureau without authorization. Outsourcing projects not related to information security are not restricted.

V. Enforcement and Revisions
1. This policy is regularly revised by the Bureau's Information Security Task Force or appropriately amended in response to changes in organizational structure, business scope, laws and regulations or the environment. It is reviewed and approved by the Management Review Meeting and shall be ratified and enforced upon approval by the Bureau's Director General, or ratified and enforced upon approval by the Bureau's Director General first and then report at Management Review Meeting to ensuring its suitability, relevance and effectiveness.
2. This policy shall be disseminated through a public announcement process to inform Bureau staff and relevant personnel of the provisions pertaining to information security policy.

VI. Information Security Policy Exception Management
For the requirement of specific operation control, but based on legal compliance, technical capabilities and cost-effective considerations, that need to be exempted from the information security policy, must obtain an appropriate approval in order to maintain the flexibility and integrity of the management mechanism.

Date of Posting :2018-02-12
Source of Information:Information Management Office
Last Updated:2021-04-13
Visitor Counts:19651