Chapter I Objectives
The Regulations are hereby established to ensure the confidentiality, integrity and applicability of the information and ICT (information, communication and technology) systems of Printing Plant, Ministry of Finance (hereinafter referred to as the“Plant”), and to meet requirements of relevant laws and regulations. This can not only prevent the Plant from internal and external deliberate or unexpected threats, but also protect the rights and interests of our employees.
Chapter II Scope Of Applications
Information security management consists of 14 fields of activities, enabling the Plant to prevent misuse, leakage, tampering and damage of information caused by human errors, premeditation or natural disaster. The fields of control that help to protect the Plant from all types of potential risks and damages are as follows:
- A5. Security policy.
- A6. Information security organization.
- A7. Human resources security.
- A8. Assets management.
- A9. Access control.
- A10. Passwords.
- A11. Physical and environment security.
- A12. Operational security.
- A13. Communication security.
- A14. Information system access, development and maintenance.
- A15. Supplier relationship.
- A16. Information security incident management.
- A17. The information security aspect of Business Continuity Management (BCM).
- A18. Compliance.
Chapter III Policy
Be altered to social engineering, report information security incident, implement information safety measures, and reach business continuity
The following information security policies are formulated to implement this security policy of the information management system:
- Set the framework of ICT security targets to establish the principles of promoting the Plant’s ICT security measures.
- Take operational, legal or regulatory requirements and contractual security obligations into consideration.
- Adjust to the organization’s full view of strategic risk management; and establish and maintain the information security system therein.
- Establish risk assessment standards.
- The ICT policy shall be approved by the management and then announced and deliberated to employees and related external groups.
- Regularly back up and test information and software of important information and ICT systems (A12.3.1).
- Protect information exchange of used communications facilities (A13.2.1).
- Protect information connected to the business information system (A14.1.3).
- Establish, document and examine access controls based on the operational and security requirements of access (A9.1.1).
- Paper documents and media must be cleared from the table and screen; and control portable media (A.11.2.9).
- Ensure that the computer connection and information do not violate access controls of the Plant’s application system (A9.1.2).
- Adopt appropriate security measures to prevent risks derived from the use of mobile equipment and communication facilities (A6.2.1).
- Use password control measures to ensure ICT security (A10.1.1).
- Ensure suppliers’ ICT security requirements have been met (A15.1.1).
- The confidentiality and integrity of confidential and sensitive information must be protected. Unauthorized access and tampering must be avoided.
- Do not open e-mails of unknown or unidentified senders.
- The tenacity of core ICT system must be reinforced to ensure continuous operations of the organization’s operations.
- To enhance our employees awareness towards ICT, hold ICT security trainings to respond to ICT security threats and changes related thereto. All employees of the plant shall truly participate in the trainings.
- It is prohibited to have one ICT system account shared by many people.
- Above policy must be reviewed by the management each year on a regularly basis.
Chapter IV Goals
Maintain the confidentiality, integrity and applicability of the Plant’s information and ICT systems, and protect the privacy of user data. The following goals can be reached with the efforts of all of our staffs:
- Protect information related to the Plant’s business activities; and avoid unauthorized access thereto.
- Protect information related to the Plant’s business activities; avoid unauthorized amendments thereto; and ensure the accuracy and integrity thereof.
- Establish operational plan for information business continuity to ensure continuous operations of the Plant’s business activities.
- The implementation of the Plant’s business activities shall comply with relevant legal and regulatory requirements.
Chapter V Responsibilities
- The Plan’s management establishes and examines this policy.
- ICT manager shall, through appropriate standards and procedure, implement this policy.
- All personnel and contractual suppliers follow the procedures to maintain ICT policy.
- All personnel have the responsibilities to report security incident and any identified weakness.
- Any intentional violation of ICT security policy will be dealt with relevant regulations or legal action.
Chapter VI implementation
This policy shall be evaluated at least once each year to respond to the up-to-date development of government regulations, technology and business activities; and to ensure the Plant’s capability in maintaining the operations and offering appropriate services.
Chapter VII Examination
- The ICT security policy shall be examined at the management examination meeting.
- Up approval of the plant director, the policy will be implemented on the date of promulgation; and will be notified to the Plant’s employees and agencies, organizations and suppliers whom are connected to the Plant’s operations in writing, by e-mail or other methods. The same shall be applied when there is any amendment thereto.