Security Policy of the Freeway Bureau
I. Purpose of this Document
This document sets out the information security policy, as well as its objectives and requirements for the Information Security Management System of the Freeway Bureau (the "Bureau"). Serving as the operating guidelines, this document is in place to ensure the implementation of the comprehensive management and the compliance with the needs of the Bureau and the requirements set forth by international standards related to information security.
1. Management System
This document is formulated based on the management needs of the Bureau, by referencing international standards such as ISO 27000 series (Information Security Management Systems), ISO 31000 series (Risk Management), ISO 20000 Series (IT Service Management) and BS 10012 (Personal Information Management) as well as relevant national standards, laws, regulations and directions of the ROC government, to meet the ISO 27001: 2013 requirements.
2. Organizational scope
This document is applicable to the planning, implementation, management and improvement of the Information Security Management System of the Bureau, including its subsidiaries.
III. Policy and Objectives
1. Information security policy requirements
The information security policy of the Bureau at various levels, including high-level management policies and operational-level policies, are as follows:
(1) High-level management policy
The Bureau shall set up an inter-departmental Information Security Task Force, where high-level executives convene regular Management Review Meetings to examine our information security policy.
The convener of the Information Security Task Force shall ensure that the information security policy and objectives are established and are compatible with the strategic direction of the Bureau.
The Bureau's high-level management policy for information security is:
"To enhance the quality of information services, protect personal privacy, and to ensure the safety of ICT networks and the use of information systems."
(2) Operational-level policy
A. Mobile Device Management Policy
All mobile devices (including mobile phones, laptops, tablet computers, or other devices with storage and networking functions) connected to a network or system operated or managed by the Bureau should undergo registration and approval in advance before any connection is made.
B. Remote Work Management Policy
Remote works that involve the connection to the Bureau's network or system via the Internet shall be limited to medium- or low-value information assets, and the said device shall be equipped with protection mechanisms approved by the Bureau. Access to high-value information assets shall only be done on the Bureau's Intranet or over VPN, and not be directly accessed via the Internet.
C.Access Control and Login Control Policy
Any equipment carrying information assets connected to the Bureau's network or system shall not be installed or located outside the Bureau without any supervision or protective mechanism. Devices that have the ability to access the Bureau's information assets must have a unique identification mechanism and only work-related system or information can be accessed by the device owner in order to enable monitoring of device access and records. Users with special access clearance shall be subject to independent monitoring, where their access to systems, software functions and information shall be registered and approved in advance and be governed by a secure login procedure.
D.Password Management Policy
Requirements for user login password shall be in accordance with the relevant government regulations and directions on the minimum password length and change frequency. A password shall contain characters from at least three of the following character classes: uppercase letters, lowercase letters, number digits or special characters and non-English characters, and shall not contain the username's full name and cannot be displayed in plain text.
E. Clear Screen Policy
All computers used by Bureau staff (including seconded and stationed staff)—servers, PCs, laptops and mobile devices with operable screens—shall be configured to enable screen lock protection. When the computer is not in use for a certain period of time, the screen shall automatically engage password-protected screen lock.
F. Clean Desk Policy
When leaving their desks, Bureau staff (including seconded staff and stationed staff) shall not leave any sensitive information or information sufficient for personal identification on the desk and keep the desktop as clean as possible.
The Bureau's systems and information are divided, according to its information asset availability level, into three levels: high, medium and low. Daily backup shall be performed for Information of high-level availability requirements; weekly backup shall be done for information of medium- or low-availability requirements.
H.Information Transmission Management Policy
The transmission of information between systems shall be carried out under controlled and protected conditions. Information to be transmitted internally between Bureau systems shall have a protective mechanism in place. Sensitive information transmitted between the Bureau and external organizations shall be encrypted during the transmission process, and such transmission shall be subject to registration and approval in advance.
I. Application Development and Maintenance Policy
The information security needs for self-developed systems or systems developed by outsourced developers shall be taken into account throughout the system's life cycle. There shall be safety control measures for system maintenance, updates, going online and version changes to avoid inappropriate software, backdoors and computer viruses from compromising the system.
J. Record Keeping Policy
Records of the Bureau's Information Security Management System are kept and assigned a retention period. There shall be at least one destruction of records annually for those over the retention period, and they shall be filed for future reference.
K. Business Continuity Management Policy
A Business Continuity Management (BCM) plan shall be in place for the actual needs of information-related matters. The plan shall include at least information security emergency response measures, incident reporting procedures and regular drills, so as to facilitate preparedness in case of disasters for important systems and operations to continue functioning and to ensure the availability of information in times of need.
2. Information Security Management Objectives
The objectives of the Bureau's information security management are as follows: "To ensure the confidentiality, integrity and availability of information assets and to prevent risk factors, such as personal negligence, deliberate acts or natural disasters, in order to steer clear of unlawful usage, leaking, tampering and destruction of such information assets and provide continuous, safe and smooth system services in compliance with statutory regulations, standards and contractual requirements."
To achieve the Bureau's objectives on information security management, the requirements of the ISO 27001 international standards and relevant regulations and directions promulgated by ROC government agencies are referenced to establish the Bureau's Information Security Management System. Appropriate protective measures are taken in respect of important information assets within the scope of our Information Security Management System to maintain the confidentiality, integrity and availability of the information assets, enabling smooth and safe execution of all operations to provide quality services to travelers.
For the pragmatic implementation of the Information Security Management System to meet the operational needs, the Bureau's information security management objectives, as required by implementation needs, are divided into two main parts: operational procedure objective and information security management operating objective.
(1) Operational procedure objectives
The objectives for each operational process describe and define the operation flow and the basic requirements for implementing the Information Security Management System.
(2) Information security management operating objectives
The Information Security Task Force shall evaluate and suggest the objectives of the Bureau's information security management every year and submit them to the Management Review Meeting for consideration. The objectives shall include the following:
A. Objectives for business (information) service availability.
B. Management objectives for controlling operations (information) services and incidents where information is improperly disclosed.
C.Management objectives for incidents where information is tampered with or is exposed to unauthorized access.
D.Control objectives for monthly access to the data center.
E. Management objectives for monthly backup tasks.
F. Management objectives for account password set-up.
G.Management objectives for information security incidents where the media is reporting a breach in a controlled area within the Bureau.
H.Management objectives for the operation of the Business Continuity Management Plan.
I. Management objectives for unplanned downtime.
3. Stipulation and implementation of the Information Security Management System
The Bureau's Information Security Task Force shall formulate and maintain an Information Security Management System in accordance with the requirements set forth in the policies and objectives, promote and manage the implementation of the system, monitor and evaluate its performance and make improvements.
The Information Security Task Force shall annually review and revise the applicability statement of information security control measures in accordance with ISO 27001 requirements and submit it to the Management Review Meeting for consideration.
1. The Bureau shall set up an Information Security Task Force to facilitate the coordination of relevant matters in the management system.
2. The management level shall actively engage in and support the management system and implement this policy through appropriate standards and procedures.
3. All Bureau staff (including seconded staff), outsourced service providers (including stationed staff) and visitors shall abide by this policy.
4. It is the responsibility of all staff and outsourced vendors working in the Bureau to report on information security incidents or vulnerabilities through an appropriate reporting mechanism.
5. Any persons whose actions compromise information security and the protection of personal information will be held liable under criminal, civil and administrative laws according to the seriousness of the case or punished in accordance with relevant provisions of the Bureau.
V. Enforcement and Revisions
1. This policy is regularly revised by the Bureau's Information Security Task Force or appropriately amended in response to changes in organizational structure, business scope, laws and regulations or the environment. It is reviewed and approved by the Management Review Meeting and shall be ratified and enforced upon approval by the Bureau's Director General, ensuring its suitability, relevance and effectiveness.
2. This policy shall be disseminated through a public announcement process to inform Bureau staff and relevant personnel of the provisions pertaining to information security policy.
Date of Posting :2009-03-11
Source of Information:Planning Division