Information Security Policy
Information Security Policy
I. Information Security Policy
In order to successfully operate the business of National Tsing Hua University (NTHU), to protect the information system or information and communications systems from unauthorized access, use, control, leakage, breakage, tampering, destruction or other infringement, and to ensure the Confidentiality, Integrity and Availability of the information system or information and communications systems, NTHU hereby sets forth the policy below for all colleagues to follow:
- Establish an information security risk management mechanism to regularly review the effectiveness of information security risk management in response to the internal and external changes in the information security situation.
- Safeguard the confidential and sensitive information and the confidentiality and integrity of the information system or information and communications systems from unauthorized access and tampering.
- Strengthen the resilience of the core information and communications system in order to ensure the continuous operation of the agency's businesses.
- Organize educational training on information security to prepare for the changing situations of information security and to raise information security awareness among NTHU’s personnel. NTHU's personnel should participate in the training.
- Award a personnel who has made contributions to information security business.
II. Goals
To evaluate the achievement of information security management goals, NTHU hereby sets forth the following information security management indicators:
- Quantitative Indicators
- To ensure that the maintenance and operation services of NTHU Computer and Communication Center's computer room are available 98% or more of the working hours (or statutory working days) throughout the year.
- To ensure that the service availability rate of each core business system reaches 98% of the working hours (or statutory working days) throughout the year.
- The total number of core business systems' cyber security incidents which result from human or operational negligence and unauthorized access shall not exceed four times per year.
- To ensure that NTHU's information security measures and rules comply with the requirements under existing laws and regulations; an internal audit shall be conducted at least once every two years.
- The confidentiality and integrity of NTHU's information assets shall be properly protected, and an information asset inventory and a risk assessment shall be conducted at least once a year.
- To ensure the continuous operation of NTHU's information business services, business continuity plan drills shall be performed on all core information and communications systems once every two years.
- Qualitative Metrics
- To ensure effective information security, NTHU's cyber security maintenance plan shall be regularly reviewed. Proper training on information security should be provided, subject to the duties and responsibilities of the employees, in order to comply with the requirements set forth by the competent authority.
- Strengthen the environmental security of NTHU's information computer room and facilities, and adopt proper protection and authority control mechanisms.
- Strengthen access control in order to prevent unauthorized improper access and to ensure that NTHU's information assets are under proper protection.
- Ensure that no information will be disclosed to any unauthorized third parties during the transfer process or due to accidental actions.
- Ensure that all information security incidents and susceptible security weaknesses are reported upward via proper notification mechanisms, and are properly investigated and handled.
III. Approval Procedures for the Information Security Policy and Goals
The Information Security Policy and Goals are approved by the Information Security Officer of NTHU. The head of each unit shall be responsible for monitoring and maintaining compliance with the Information Security Policy and relevant guidelines.
IV. Promotion of the Cyber Security Policy and Goals
- NTHU's Information Security Policy and goals shall be made known annually to all personnel of NTHU through education training, internal meetings, announcements and so on. The performance of the aforesaid work shall be reviewed.
- NTHU shall annually disseminate the Information Security Policy and goals to interested parties (e.g., IT service providers and units in charge of agency connection works). The performance of the aforesaid work shall be reviewed.
V. Regular Review Procedures for the Information Security Policy and Goals
- To ensure the continuous operation of NTHU's information system, the Information Security Policy shall be updated at least once a year to reflect the latest developments in governmental regulations, technologies and businesses.
- The adequacy of the Information Security Policy shall be periodically reviewed at the review meetings of the information security and personal data protection management.