National Youth Commission (Executive Yuan) Notice of Information Security Policy
|19th May 2004
Official letter no. 9350004800
This information security policy has been especially drawn up in order to guarantee the security of the National Youth Commission’s intellectual property, minimize the number and impact of security incidents, and provide a high-quality environment for work and information for all colleagues, all of whom are respectfully asked to abide by it.
- To guarantee that the National Youth Commission's intellectual property will remain unaffected by internal, external, premeditated or accidental threats, and to ensure the unhindered operation of the Commission's business.
- To preserve the confidentiality, integrity and usability of information.
- To promote Commission staff's understanding of information security policy and related regulations, and the role that they themselves must play in information security
Parties to whom the policy applies.
- Members, staff, students and contractors of the Commission.
Main types of information security incident.
- Suspension of water or electricity supply in the building.
- Computer virus.
- Attack by computer hacker
Announcement, handling and prevention of information security incidents
- When an information security incident occurs, each section office must immediately apprize the Commission's computer center of the facts and request support, complete internal announcement procedures, written announcement to be provided later by means of computer repair handling form.
- The Commission's computer center must immediately inform its head official of such matters as the facts of the incident, the possible extent of its impact, estimated losses, the determined level of support to be applied for, and emergency measures taken, complete a Security Incident Announcement form, and, by Internet, mobile telephone, fax or e-mail, inform the National Information and Security Center and its various departments which have been brought together as the Research, Development and Evaluation Commission (ExecutiveYuan).
- Review related security measures. If plugging a deficiency, isolate the compromised channel and quickly switch on systems or procedures prepared for manual operation, seeking support from the technical services center and the building operator
- Keep incursion records of such information as, hacked statistical analyses, loss estimates and so on, and report them to the official in charge, and to the 資通安全會報技術服務中心 , to provide for reference o n p revention and forewarning, and seek out the system preventing loopholes and methods for bolstering protection, to avoid a repeat of the incident.
- Strengthen assignments in which data is prepared manually.
- Install UPS uninterrupted power supply
- Install anti-virus software
- Install incursion detection system.
Supervision and managerial testing.
- Establish a task force to set information security into action, whose main work items will be:
- Security prevention assignments: Assignments to collect information and communications security information, assignments to cultivate information and communications security techniques, agree system's security grade, establish information and communications security measures, conduct information and communications security monitoring.
- Crisis management assignments: Draw up a crisis management procedure, establish the reasons for the security incident, confirm the extent of the impact and conduct an estimation of losses, implement urgent emergency measures, conduct the announcement of the security incident, implement a solution.
- Inspection assignments: Check whether the above-stated work is practicable.
- Information security policy established and periodically audited by the task force for setting information security in motion, to ensure that it complies with the law and the needs of the operation of the Commission's business.
- All staff and contracts must protect the information security policy in accordance with appropriate procedures. Any premeditated action to endanger information security will incur punishment.
- All staff have a responsibility to report information security incidents.
Related information security management assignment models
- Central Bureau of Standards and Metrology , models CNS17799 、 CNS17800
- Essentials of management of information security from all departments of the Executive Yuan.
- Models of management of information security from all departments of the Executive Yuan.
- Data protection laws concerning computers handling personal information.