1.

This policy is set in accordance with the “Main points of information security management for the Executive Yuan and its subsidiary bodies”, “Information security management standards for the Executive Yuan and its subsidiary bodies” and the “ Information Security Policy of the Construction and Planning Agency, Ministry of the Interior” and takes into account the actual work requirements of Taroko National Park (Taroko N. P. below)

2.

This policy is set to strengthen Taroko National Park’s information security management, ensure information confidentiality, completeness and usability, information equipment (computer hardware, software and peripherals) and network system reliability and the information security awareness of staff, and to prevent the aforementioned resources being interfered with, damaged, invaded or subject to any negative behavior or attempted behavior.

3.

For the overall management coordination, planning, checking and promotion of information security management a cross-unit information group will be established (group below). The support work for this group will be the responsibility of the Planning Section. The group’s members will be dispatched from the various units of Taroko N. P. and the group will be established after approval from the park Superintendent.

4.

According to the following division of labor principles, related units and personnel have the following work responsibilities

• Discussion, establishment and assessment etc of information security policy, plans and technology standards will be handled by the Planning Section.
• Data and information system security requirement discussion, management and protection shall be handled by Taroko National Park’s various units.
• Information confidentiality maintenance and security checking etc shall be handled by Taroko National Park’s Personnel Section (concurrently Ethical Section) together with other related units.

5.

The scope of the policy is as follows: Related units and personnel should set related management standards or implementation plans for the following items and regularly check implementation results.

• Personnel management and information security education and training
• Computer system security management
• Network security management
• System saving and retrieval control
• System development and maintenance security management
• Information asset security management
• Real object and environment security management
• Sustainable business plan planning and management

6.

Personnel management and information security education and training

• For information related positions and work security assessment should be carried out. Careful assessment of the suitability of personnel carried out when recruiting personnel and allocating work and tasks, with the necessary checking also carried out. Managers of various units are responsible for the supervision of the information work security of their subordinates and for preventing illegal or inappropriate behavior.
• With regards to the requirements of management, work and information etc work categories, information security and training and education will be regularly carried out to boost staff information security awareness and raise the level of information security.

7.

Computer system security management

• When handling of information-related work is contracted out information security requirements should first be discussed and supplying company information security responsibility and confidentiality regulations set. These should be set out in agreement signed by the supplier that it should respect. Checking should also be carried out regularly.
• According to related laws or agreements, copying and using software and establishing a software use management system.
• Adoption of necessary prevention and protection measures, detecting and protecting against viruses and other destructive software to ensure normal operation of the system.
• Establishing a control system for system change work and keeping records for future checking.
• Purchasing information hard and software should, in accordance with national standards or government information security standards set by responsible managing bodies, discuss information security requirements and include these in purchase specifications.

8.

Network security management

• Information systems that can be open to external access should, in accordance with the importance and value of the data and systems, adopt different security level technology or measures, including data encryption, ID checking, electronic signature, firewalls and security gap detection, to prevent data and systems being accessed, damaged, altered, deleted or saved or retrieved without permission.
• Websites with links to external websites should use firewalls and other necessary security measures to control data transmission and resource saving and retrieval between the website and external links
• Information announced and transmitted on the Internet and the WWW should be subject to data security level assessment. Confidential, sensitive or unauthorized personal information and documents should not be posted on-line.
• Setting of e-mail use rules. Confidential data and documents should not be sent by e-mail or other electronic method.
• To avoid network users breaching the Taroko N. P. network security regulations, network management personnel can consider using related network technology to, without interfering with the normal operation of the network, block use of the Taroko N. P. network that breaches use rules.

9.

System saving and retrieval control

• Set system saving and retrieval policy and authorization rules, also informing employees and users of related powers and responsibilities in written form, by email or other form.
• Departing (including retired people) employees should immediately have all powers relating to various information resources terminated when they leave their position and this should be included in the formalities to be competed by departing employees (retiring personnel). When personnel jobs change or are adjusted, powers should be adjusted in a limited time, in accordance with system saving and retrieving regulations.
• Establishing of a system user registration management system and user password management strengthening. User passwords should be changed at least once every six months.
• When system server companies carry out system maintenance by Telnet, security control should be strengthened, a name list established and related confidentiality responsibility set down.
• Establishment of an information security checking system, regularly or irregularly carrying out information security checking work and establishment of a name list.

10.

System development and maintenance security management

• Self-developed or systems developed externally should in the early stage of the system lifecycle take information security requirements into consideration. System maintenance, upgrading, on-line operation or version change work should be subject to security control and inappropriate software, trapdoors and viruses prevented from damaging system security.
• For company hardware and software system installation and maintenance personnel, the scope of the systems and data they can come into contact with should be stipulated and issuing of long term system ID or passwords prohibited. If, for actual work needs, short-term or temporary system ID and passwords are given to company staff, the related use powers should be terminated as soon as they are no longer needed.
• When a company is commissioned to install or maintain important hardware or software this should be carried out under the supervision of personnel from the Taroko N. P. section or office involved.

11.

Information asset security management

• Establishing an information system-related information asset catalogue, setting the information asset items, who has them and security level.
• In accordance with national secret protection, computer personal details protection and the government’s information openness laws, classification standards for security level and corresponding protection measure should be established.
• Data output from information or systems that already has a security level should display a suitable level for users to follow.

12.

Real object and environment security management Real object and environmental security management measures should be set in relation to equipment installation, peripheral environment and control of personnel access.

13.

Sustainable Business Plan Planning and Maintenance

• Set a sustainable business plan, assess the impact of various human and natural disasters on work, set emergency response and recovery processes and related personal work responsibilities, hold regular drills and upgrade plans regularly.
• Establish an information security incident emergency response mechanism. When an incident takes place, according to the handling process in the regulations, a report should be made immediately to the information unit or personnel and a response made, with the police also contacted to assist with investigations.
• According to related laws, set data security levels and, in accordance with different security levels, adopting suitable and sufficient security measures.

14.

This policy should be revised at least once a year to reflect the latest government law and technology and work situation, to ensure the efficiency of information security work.

15.

This information security policy will be implemented after approval from the superintendent. The same applies to revisions.