information security policies
i. policy purposes:
given that information security is the foundation for maintaining the safe operation of various services, these policies are hereby established to demonstrate our company’s determination and commitment to providing safe and worry-free services, and also serve as a guiding principle for our company’s information security work, so as to protect the security of our information room equipment, networks, and core information communication systems, and prevent improper use, leakage, tampering, damage, loss, and other incidents of assets which may affect our company’s operations or harm the rights and interests of employees in case of human negligence, intentional damages, or natural disasters.
ii. policy objectives:
our company’s information security objectives are to establish an information security management system (hereinafter referred to as the isms) which meets the requirements under the international standards, ensure that the various services meet the requirements of confidentiality, integrity, availability, and compliance, and define and measure quantitative indicators of information security performance according to various levels and functions, so as to confirm the implementation status of isms and whether the information security objectives have been achieved.
iii. organization and responsibilities
to ensure the effective operation of the isms, the information security organization and responsibilities shall be clearly identified to promote and maintain the implementation of various management, execution, and auditing work.
iv. applicable scope
the isms examines internal and external issues, the needs and expectations of parties concerned, as well as the interface and interdependence between our company’s activities and those of other organizations. it can be applicable to all areas covered by our company’s isms.
the isms includes the contents as shown below. relevant units and personnel shall establish corresponding management specifications or implementation plans for the following matters, and implement them and regularly evaluate the implementation results based on them:
1. information security organization and management review
2. risk management
3. file and record management
4. internal audit of information security
5. human resources security management
6. asset management
7. access control management
8. physical and environmental safety management
9. operational security and cryptography technology management
10. communication security management
11. system acquisition, development, and maintenance management
12. supplier relationship management
13. information security accident management
14. operation continuity management
15. compliance management
v. implementation principle:
the implementation of isms shall be based on the “plan, do, check, and act” process model with a recurrent and progressive spirit, to ensure the effectiveness and continuity of information business operations.
vi. review and evaluation:
1. the policies shall be evaluated and reviewed at least once a year to reflect the latest developments in relevant laws and regulations, technologies, business, and relevant departments, to ensure the effectiveness of information security practices and operations.
2. the policies shall be revised based on the review results, and shall only come into effect after being signed and released by the person-in-charge of our company.
3. after the establishment or amendment of the policies, they shall be advised to the stakeholders, such as employees, contracted customers, suppliers, and partners, in writing, by email, document management system or other means.
