1. Definition of Information Security: Information (regardless of form and media), such as information resources, hardware, software, services, documents, personnel, the agency's image and reputation, are the Ministry's assets. The issue of security pertains to the use of proactive or defensive measures to protect and preserve a work environment where the agency's activities are not to be unduly compromised. Therefore, information security seeks to implement a system of appropriate safeguards to limit the loss of information on account of human negligence, intentional security breach, natural disasters, and other forms of security threats. The safeguard system is to be maintained through information security policy as well as the execution of its components, including well-defined security management procedures, clear delegation of responsibilities within the organization, applications of software as well as other related installation items, so that the information assets of the Ministry are properly protected.
2. Objectives of Information Security: The objectives include the maintenance of information's confidentiality (only those who are authorized may access information), integrity (information shall remain accurate and complete, and its management shall be precise and effective to retain the integrity of information), and availability (authorized users shall be able to gain access to information and related information resources as needs arise). The security management procedures shall protect the Ministry's information assets from unlawful access, unauthorized disclosure, modification, damage, and other security threats. The safety of the collection, processing, transmission, storage, and circulation of information is to be duly maintained.
3. The Scope of Information Security: Information security entails the protection of the Ministry-owned IT components, personnel security, and other related information management areas.
4. The Ministry's Information Security Management Procedures include as follows:
‧Set up Information Security Task Force to develop and see to the proper implementation of the Ministry's information security management procedures.
‧Personnel changes such as those in appointment, duty assignment, as well as discharge of employees are to be carefully weighed with respect to information security. Full control over employee records and backup staff management are to be put in place in response to the leave, suspension, transfer, and discharge of personnel. Workshop and training are to be organized and provided to the Ministry's employees to promote awareness and competency in information security.
‧Implement information assets safeguard system to allow effective distribution, use, and management of the Ministry's information resources.
‧Evaluate the anti-disaster and anti-theft devices of the Ministry's buildings. Critical facilities and sensitive work areas are to be further protected.
‧Upgrade regularly anti-virus software, firewall, and other defensive technology to timely block intrusion attempts and hostile attacks from outside sources.
‧Establish information classification. Access to information is to be given to specified users in accordance with their work duties.
‧All Installation, upgrades, or changes of computer operation systems are to be supervised and documented for future reference and archiving.
‧Set up information security emergency management procedures as well as disaster recovery procedures. These procedures are to be tested and reviewed regularly.
‧Establish information security review procedures. The Ministry's mainframe, work areas for administering examination affairs, and all computer systems are to undergo regular as well as unplanned reviews. The review results on file are to be neither deleted nor modified.
‧All procedures are to comply with other relevant procedures of the Ministry and relevant laws and regulations governing information security.