This policy is set in accordance with the “Main points of information security management
for the Executive Yuan and its subsidiary bodies”, “Information security management
standards for the Executive Yuan and its subsidiary bodies” and the “ Information
Security Policy of the Construction and Planning Agency, Ministry of the Interior”
and takes into account the actual work requirements of Taroko National Park (Taroko
N. P. below)
This policy is set to strengthen Taroko National Park’s information security management,
ensure information confidentiality, completeness and usability, information equipment
(computer hardware, software and peripherals) and network system reliability and
the information security awareness of staff, and to prevent the aforementioned resources
being interfered with, damaged, invaded or subject to any negative behavior or attempted
For the overall management coordination, planning, checking and promotion of information
security management a cross-unit information group will be established (group below).
The support work for this group will be the responsibility of the Planning Section.
The group’s members will be dispatched from the various units of Taroko N. P. and
the group will be established after approval from the park Superintendent.
According to the following division of labor principles, related units and personnel
have the following work responsibilities
- Discussion, establishment and assessment etc of information security policy, plans
and technology standards will be handled by the Planning Section.
- Data and information system security requirement discussion, management and protection
shall be handled by Taroko National Park’s various units.
- Information confidentiality maintenance and security checking etc shall be handled
by Taroko National Park’s Personnel Section (concurrently Ethical Section) together
with other related units.
The scope of the policy is as follows: Related units and personnel should set related
management standards or implementation plans for the following items and regularly
check implementation results.
- Personnel management and information security education and training
- Computer system security management
- Network security management
- System saving and retrieval control
- System development and maintenance security management
- Information asset
- Real object and environment security management
- Sustainable business plan
planning and management
Personnel management and information security education and training
- For information related positions and work security assessment
should be carried out. Careful assessment of the suitability of personnel carried
out when recruiting personnel and allocating work and tasks, with the necessary
checking also carried out. Managers of various units are responsible for the supervision
of the information work security of their subordinates and for preventing illegal
or inappropriate behavior.
- With regards to the requirements of management, work and
information etc work categories, information security and training and education
will be regularly carried out to boost staff information security awareness and
raise the level of information security.
Computer system security management
- When handling of information-related work is contracted out
information security requirements should first be discussed and supplying company
information security responsibility and confidentiality regulations set. These should
be set out in agreement signed by the supplier that it should respect. Checking
should also be carried out regularly.
- According to related laws or agreements, copying and using
software and establishing a software use management system.
- Adoption of necessary prevention and protection measures,
detecting and protecting against viruses and other destructive software to ensure
normal operation of the system.
- Establishing a control system for system change work and
keeping records for future checking.
- Purchasing information hard and software should, in accordance
with national standards or government information security standards set by responsible
managing bodies, discuss information security requirements and include these in
Network security management
- Information systems that can be open to external access should,
in accordance with the importance and value of the data and systems, adopt different
security level technology or measures, including data encryption, ID checking, electronic
signature, firewalls and security gap detection, to prevent data and systems being
accessed, damaged, altered, deleted or saved or retrieved without permission.
- Websites with links to external websites should use firewalls
and other necessary security measures to control data transmission and resource
saving and retrieval between the website and external links
- Information announced and transmitted on the Internet and
the WWW should be subject to data security level assessment. Confidential, sensitive
or unauthorized personal information and documents should not be posted on-line.
- Setting of e-mail use rules. Confidential data and documents
should not be sent by e-mail or other electronic method.
- To avoid network users breaching the Taroko N. P. network
security regulations, network management personnel can consider using related network
technology to, without interfering with the normal operation of the network, block
use of the Taroko N. P. network that breaches use rules.
System saving and retrieval control
- Set system saving and retrieval policy and authorization
rules, also informing employees and users of related powers and responsibilities
in written form, by email or other form.
- Departing (including retired people) employees should immediately
have all powers relating to various information resources terminated when they leave
their position and this should be included in the formalities to be competed by
departing employees (retiring personnel). When personnel jobs change or are adjusted,
powers should be adjusted in a limited time, in accordance with system saving and
- Establishing of a system user registration management system
and user password management strengthening. User passwords should be changed at
least once every six months.
- When system server companies carry out system maintenance
by Telnet, security control should be strengthened, a name list established and
related confidentiality responsibility set down.
- Establishment of an information security checking system,
regularly or irregularly carrying out information security checking work and establishment
of a name list.
System development and maintenance security management
- Self-developed or systems developed externally should in
the early stage of the system lifecycle take information security requirements into
consideration. System maintenance, upgrading, on-line operation or version change
work should be subject to security control and inappropriate software, trapdoors
and viruses prevented from damaging system security.
- For company hardware and software system installation and
maintenance personnel, the scope of the systems and data they can come into contact
with should be stipulated and issuing of long term system ID or passwords prohibited.
If, for actual work needs, short-term or temporary system ID and passwords are given
to company staff, the related use powers should be terminated as soon as they are
no longer needed.
- When a company is commissioned to install or maintain important
hardware or software this should be carried out under the supervision of personnel
from the Taroko N. P. section or office involved.
Information asset security management
- Establishing an information system-related information asset
catalogue, setting the information asset items, who has them and security level.
- In accordance with national secret protection, computer personal
details protection and the government’s information openness laws, classification
standards for security level and corresponding protection measure should be established.
- Data output from information or systems that already has
a security level should display a suitable level for users to follow.
Real object and environment security management Real object and environmental security
management measures should be set in relation to equipment installation, peripheral
environment and control of personnel access.
Sustainable Business Plan Planning and Maintenance
- Set a sustainable business plan, assess the impact of various
human and natural disasters on work, set emergency response and recovery processes
and related personal work responsibilities, hold regular drills and upgrade plans
- Establish an information security incident emergency response
mechanism. When an incident takes place, according to the handling process in the
regulations, a report should be made immediately to the information unit or personnel
and a response made, with the police also contacted to assist with investigations.
- According to related laws, set data security levels and,
in accordance with different security levels, adopting suitable and sufficient security
This policy should be revised at least once a year to reflect the latest government
law and technology and work situation, to ensure the efficiency of information security
This information security policy will be implemented after approval from the superintendent.
The same applies to revisions.