The information related system is provided for the internal operations and the communications with the citizens through internet. The information security policy is announced to ensure the related the information system operated continuously, maintain the image of the government and facilitate the city services. Also, it’s the guidance of information security tasks for reducing the risks of information security.
II. Disclosure of policy
- In order to secure the information system and build a reliable cyber environment, all the users should follow the regular process to apply for the related authorizations to access the confidential and sensitive information within the scope of authorization. Also, the information should be ensured to be used correctly during management, transmitting and storage. The information and system are not allowed to be attacked or changed due to carelessness or malicious intentions. The related intellectual property rights and personal information should be secured adequately from inappropriate use.
- The collection and application of the personal information will follow the related regulations to be used for specific purpose with permission. It will not be disclosed to any other third party.
- In the principle of the information security management objective and easy to memorize, two directions of the information security policy disclosure are as the following:
- Ensure the environment is safe for information system operations and enhance the information security management to provide the high quality of services.
- Well protect the confidential information with complete and accurate approaches. Non-stop services are the top priority and make them as the daily routine constantly.
- With the spirit and requirements of the information security management system (Information Security Management System, ISMS), it becomes the foundation of information security system of the Government.
- Secure the confidentiality of the Government information system to keep its information Confidentiality, Integrity and Availability to achieve the objective of sustainable and normal operations.
- According to PDCA（Plan, Do, Check, Action）process model, the Government information tasks are implemented effectively and constantly in an orderly and rolling way. Also, there is a mechanism for information security objective evaluation to improve and upgrade the performance continuously.
All the institutes supervised by Taichung City Government.
V. Implementations and requirements of operational procedures
- Support of the senior management team
The information security management should be facilitated under the support and involvement of the senior management team.
- Priority of policy
Prioritize the tasks under the scope of implementation, then facilitate and execute them step by step.
Understand the importance of information security management system thoroughly and take the responsibility.
- Educational training
Conduct adequate information security educational training to enhance the management concepts and skills of information security.
- Regular review
Through the audit process to identify the information security issues and propose the solutions to minimize the information security risks.
- Immediate improvement
Once the information security issues occurred, the required strategy should be studied and developed immediately to improve the mechanism, complete the information security management system.
- Prevention of the cyber viruses and malware
- Advanced preventions and protections are required to block and detect any cyber virus and malicious program attacks.
- Establish the user rules of personal computer with adequate promotions to make the staffs aware of the cyber virus threats and keep them alerting to any potential information security crisis.
- Important information back-up
- Correctly and completely back up the important information and save them at some different but safe venues in addition to the major hardware so the data would be secured if there were unpredictable disasters occurring to the major operational venues.
- Sporadically check the important information back up files to ensure their feasibility and completeness.
- The keeping period of important information and the maintaining requirements of the files should be proposed and controlled by the information owners.
- Information exchange
- The information or data exchange should be well secured to prevent the information destroyed, misused or accessed before authorized.
- The security of the physical medium should be ensured during transferring and will not be accessed, misused or destroyed before authorized.
- Operational information security
The information security should be paid attentions while applying the office electronic equipments（including the copying machine and fax machine）; Any confidential and sensitive document should be produced under a seamless monitoring thoroughly and kept adequately.
- Access control, desktop and screen clearances
- Set the rules of authorization and inform the users about the related authorizations and responsibilities.
- When any change of staffs or responsibilities occurred, the related access authorization modifications should be completed before the deadline as per the access control rules.
- Enhance the education for the users to update their passwords regularly.
- The users should keep the confidential and sensitive media in a secured place when they leave their seats to avoid any unauthorized personnel to access; the computer system should be protected by a screen protection mechanism with password control which will be set to activate in a certain idle period.
- No portable memory devices or personal laptops allowed to enter the server room to avoid any confidential and sensitive information released unless it’s performed with special permission.
- Use of internet services
- Authorized internet users can only access the internet resources within the scope of authorization.
- According to the e-mail policy, any confidential and sensitive information should not be transmitted by e-mails.
- Mobile laptop applications, communications and remote operations.
Without authorization, no mobile computer equipments and remote link are allowed to access the server of the institute for accessing the information system of the Government.