Security Policy of the Freeway Bureau
I. Purpose of this Document
This document sets out the information security policy, as well as its objectives and requirements for the Information Security Management System of the Freeway Bureau (the "Bureau"). Serving as the operating guidelines, this document is in place to ensure the implementation of the comprehensive management and the compliance with the needs of the Bureau, Cyber Security Management Act and the requirements set forth by international standards related to information security.
All staff(including seconded staff), outsourcers(including stationed personnel) and visitors.
III. Policy and Objectives
1. Information security policy requirements
The information security policy of the Bureau at various levels, including high-level management policies and operational-level policies, are as follows:
(1) High-level management policy
The Bureau shall set up an inter-departmental Information Security Task Force, where high-level executives convene regular Management Review Meetings to examine our information security policy.
The convener of the Information Security Task Force shall ensure that the information security policy and objectives are established and are compatible with the strategic direction of the Bureau.
The Bureau's high-level management policy for information security is:
"To enhance the quality of information services, protect personal privacy, and to ensure the confidentiality, integrity and availability of the information assets."
(2) Operational-level policy
A. Mobile Device Management Policy
A policy should be adopted to manage the use of mobile devices and media to prevent unauthorised or unsecured mobile devices and media connect Bureau's information asset and cause breach to system's availability, confidentiality and integrity.
B. Teleworking Work Management Policy
Security requirements should be adopted to manage teleworking environment, connection and computers, in order for Bureau’s employees and third-party comply with Bureau’s ISMS requirement while access Bureau’s information assets to finish the assigned work in a teleworking environment.
C. Access Control and Login Control Policy
Access control requirements should be adopted to manage Bureau’s information assets, including the user accounts, passwords, and access rights, to prevent unauthorized access and to ensure the confidenticaly, interity and availability of information assets.
D. Cryptographic Management Policy
To ensure proper and effective use of cryptograph to protect the confidentiality, authenticity and/or integrity of information.
E. Clear Desk and Clear Screen Policy
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted according to information assets’ classification, regulation and contract requirenments.
F. Backup Policy
Backup policy should be established to define the backup cycle and method according to the avalibility of information system. In order to ensure the interity and availability of the backup information.
G. Information Transmission Management Policy
Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.
H. Application Development and Maintenance Policy
System development policy for each stage of the system development life cycle shall be established, to manage and meet the requirements of the ISMS in order to ensure that the system development complies with the information security provisions of the Bureau.
I. Record Keeping Policy
A policy for manage ISMS implementation records of the Bureau shall be established. ISMS document revision and implementation records shall be properly kept and destroyed. Relevant documentation or system records should be obtained upon authorization when required.
J. Business Continuity Management Policy
A Business Continuity Management (BCM) plan shall be in place for the actual needs of information-related matters. The plan shall include at least information security emergency response measures, incident reporting procedures and regular drills, so as to facilitate preparedness in case of disasters for important systems and operations to continue functioning and to ensure the availability of information in times of need.
2. Information Security Management Objectives
The objectives of the Bureau's information security management are as follows: "To ensure the confidentiality, integrity and availability of information assets and to prevent risk factors, such as personal negligence, deliberate acts or natural disasters, in order to steer clear of unlawful usage, leaking, tampering and destruction of such information assets and provide continuous, safe and smooth system services in compliance with statutory regulations, standards and contractual requirements."
To achieve the Bureau's objectives on information security management, the requirements of the ISO 27001 international standards and relevant regulations and directions promulgated by ROC government agencies are referenced to establish the Bureau's Information Security Management System. Appropriate protective measures are taken in respect of important information assets within the scope of our Information Security Management System to maintain the confidentiality, integrity and availability of the information assets, enabling smooth and safe execution of all operations to provide quality services to travelers.
For the pragmatic implementation of the Information Security Management System to meet the operational needs, the Bureau's information security management objectives, as required by implementation needs, are divided into two main parts: operational procedure objective and information security management operating objective.
(1) Operational procedure objectives
The objectives for each operational process describe and define the operation flow and the basic requirements for implementing the Information Security Management System.
(2) Information security management operating objectives
The Information Security Task Force shall evaluate and suggest the objectives of the Bureau's information security management every year and submit them to the Management Review Meeting for consideration. The objectives shall include the following:
A. Objectives for business (information) service availability.
B. Management objectives for controlling operations (information) services and incidents where information is improperly disclosed.
C.Management objectives for incidents where information is tampered with or is exposed to unauthorized access.
D.Control objectives for monthly access to the data center.
E. Management objectives for monthly backup tasks.
F. Management objectives for account password set-up.
G.Management objectives for information security incidents where the media is reporting a breach in a controlled area within the Bureau.
H.Management objectives for the operation of the Business Continuity Management Plan.
I. Management objectives for unplanned downtime.
3. Stipulation and implementation of the Information Security Management System
The Bureau's Information Security Task Force shall formulate and maintain an Information Security Management System in accordance with the requirements set forth in the policies and objectives, promote and manage the implementation of the system, monitor and evaluate its performance and make improvements.
The Information Security Task Force shall annually review and revise the applicability statement of information security control measures in accordance with ISO 27001 requirements and submit it to the Management Review Meeting for consideration.
1. The Bureau shall set up an Information Security Task Force to facilitate the coordination of relevant matters in the management system.
2. The management level shall actively engage in and support the management system and implement this policy through appropriate standards and procedures.
3. All Bureau staff (including seconded staff), outsourcers (including stationed staff) and visitors shall abide by this policy.
4. It is the responsibility of all staff and outsourced vendors working in the Bureau to report on information security incidents or vulnerabilities through an appropriate reporting mechanism.
5. Any persons whose actions compromise information security and the protection of personal information will be held liable under criminal, civil and administrative laws according to the seriousness of the case or punished in accordance with relevant provisions of the Bureau.
V. Enforcement and Revisions
1. This policy is regularly revised by the Bureau's Information Security Task Force or appropriately amended in response to changes in organizational structure, business scope, laws and regulations or the environment. It is reviewed and approved by the Management Review Meeting and shall be ratified and enforced upon approval by the Bureau's Director General, ensuring its suitability, relevance and effectiveness.
2. This policy shall be disseminated through a public announcement process to inform Bureau staff and relevant personnel of the provisions pertaining to information security policy.
Date of Posting :2018-02-12
Source of Information:Information Management Office