Printing Plant, Ministry of Finance

1 Purpose

1.1 The Printing Plant of the Ministry of Finance (hereinafter referred to as the Plant) has formulated this policy in order to strengthen the management of information security and to ensure the confidentiality, integrity, and usability of the information assets belonging to the Plant and to provide an information environment in which the Plant's information operations can be continuously conducted in compliance with the requirements of relevant laws and regulations, so as to protect the Plant from intentional or accidental threats, whether from internal or external sources.

2 Scope of Application

2.1 All units of the Plant.

3 Definitions

3.1 None.

4 Vision and Objectives

4.1 Information Security Policy Vision:
Be aware of social engineering, and notify of information security incidents.
Implement cyber security, and achieve continuous operations.

4.2 Based on the information security policy vision, the following information security objectives have been formulated:

4.2.1 Organizing information security education and training, supervising all employees in the implementation of cyber security management, strengthening the awareness of information security and related responsibilities, establishing the concept of "cyber security is everyone's responsibility," and urging them to comply with cyber security regulations.

4.2.2 Safeguarding the Plant's business activity information to ensure the confidentiality, integrity, and usability of business data, all information operation related measures against unauthorized access and modification, and from external threats or improper management and risks by internal personnel.

4.2.3 With the goal of complying with information security requirements, choosing appropriate protection measures to reduce risks to an acceptable level, continuously monitoring, reviewing, and auditing the information security management system, strengthening service quality, and upgrading service standards.

4.2.4 Ensuring that the Plant's critical core systems maintain a certain level of system usability, and conducting regular drills on emergency response procedures to ensure the continuous operation of critical business.

4.3 With respect to the above information security objectives, the annual to-do list, required resources, responsible personnel, estimated completion time, and the method and results of evaluation shall be formulated, and the related supervision and measurement procedures shall be in accordance with the "Procedures for Supervision and Measurement Management" of the Plant.

4.4 The Information Security Task Force shall report to the Convener of the Information Security Committee on the effectiveness measurement results of the Information Security Objectives at the Management Review Meeting.

5 Responsibilities

5.1 The management of the Plant has established and reviewed this policy.

5.2 The Information Security Task Force shall implement this policy through relevant standards and procedures.

5.3 All personnel and outsourced vendors are required to follow the relevant security management procedures to comply with the information security policy.

5.4 All personnel are responsible for reporting information security incidents and any identified vulnerabilities.

5.5 Any behavior that jeopardizes information security shall be investigated for civil, criminal, and administrative liabilities depending on the severity of the case or punished in accordance with the relevant regulations of this Plant.

6 Audit

6.1 This policy shall be reviewed at least once a year to reflect the latest development of governmental laws and regulations, technology, and business, in order to ensure the Plant's continuous operation and capability of information security practices.

7 Implementation

7.1 When any agency or unit obtains the Plant's sensitive information or personal data due to business needs, it shall be responsible for the confidentiality of the data and its proper use, and shall comply with relevant national laws and regulations as well as the Plant's information security requirements in order to safeguard the rights and interests of the Plant's interested parties.

7.2 In the event of data leakage or information security incident caused by negligence of the agency or unit, it shall be held legally responsible for the related legal responsibilities.

7.3 The information security policy shall be reviewed by the Management Review Meeting.

7.4 This policy shall be reviewed by the Information Security Committee and approved by the Convener before implementation. The same shall apply to any amendments to this policy.