|
| |
 Implementation principles |
| |
Implementation principles consist of nine points, namely: accountability principle, awareness principle, ethics principle,
Multi-disciplinary principle, proportionality principle, integration principle, timeliness principle, assessment principle, and equity principle.
See the following for detailed information. |
| |
 Accountability Principle |
| |
|
Define and determine accountability and responsibility of information security. |
| |
Awareness Principle |
| |
|
Relevant personnel shall be aware of security regulations, standards, conventions and security control mechanism concerning information and information systems, and should acquire some knowledge of threats and vulnerabilities related to information security. |
| |
Ethics Principle |
| |
|
The use of information and the implementation of information system security shall conform to work ethics. |
| |
Multidisciplinary Principle |
| |
|
Regulations, standards, conventions and security mechanism concerning information systems and information security shall cover all related units. |
| |
Proportionality Principle |
| |
|
The control and management mechanism concerning information security shall be proportionate to risks faced by information disclosure, falsification, and denial of service, etc. |
| |
Integration Principle |
| |
|
Regulations, standards, conventions and security mechanism concerning information security are equally important and shall be integrated together.
In addition, they shall be integrated with other policies and operation procedures of the Administration. |
| |
Timeliness Principle |
| |
|
Relevant offices shall work together to prevent, or respond to, threats or damage to information systems in a timely manner. |
| |
Assessment Principle |
| |
|
Regularly assess risks concerning information and information systems. |
| |
Equity Principle |
| |
|
While developing policies, choosing, installing and implementing security mechanism, personal rights and dignity shall be respected. |
| |
Implementation principles include the following items: |
| |
|
I. Education and Awareness |
| |
|
The director shall communicate with relevant personnel so that all staff can acquire adequate knowledge of this policy.
Training content shall include standards, reference points, operation procedures, guidelines, responsibilities and liabilities,
measuring standards for implementation and consequences of failures. |
| |
|
II. Accountability |
| |
|
The director shall keep records on all steps of information services to ensure that all staff can take responsibilities for their actions. Records shall include information about: addition, correction, copy, and deletion, etc. In addition, responsibilities and liabilities of users of all levels, time and date shall be attached to important events. |
| |
|
III. Information management |
| |
|
The director shall frequently classify and evaluate information, set sensitivity grades, grade their importance and position such information. |
| |
|
IV. Environment management |
| |
|
Equipment shall be fitted the physical environment of saving, transmitting and using information and information assets so as to prevent internal / external risks. |
| |
|
V. Personnel qualifications |
| |
|
In order to effectively implement the security control mechanism concerning information assets and related information systems, the director shall establish a set of standards to check personal characteristics and technical capacities of relevant personnel.
System Integrity) |
| |
|
VI. System integrity |
| |
|
The director shall ensure that various systems and application systems needed for businesses of the Administration have been established, saved and protected. |
| |
|
VIII. Access control |
| |
|
The director shall establish a control and management mechanism to eliminate risks faced by information access and relevant information systems. |
| |
|
IX. Operational Continuity and Contingency Planning |
| |
|
The director shall make plans to ensure that relevant information systems can support the continuous operation of the businesses of the Administration. |
| |
|
X. Information risk management |
| |
|
The director shall ensure the balance between information security control mechanism and the value of relevant assets and possible threats / vulnerabilities. |
| |
|
XI. Network and infrastructure security |
| |
|
When the network security control mechanism is being established, impact from existing global infrastructure shall be taken into consideration. |
| |
|
XII. Legal, Regulatory, and Contractual Requirements of Information Security |
| |
|
The director shall recognize and gradually present legal, regulatory and contractual requirements of information assets. |
| |
|
XIII. Ethical practices |
| |
|
While developing policies, and choosing, and implementing security mechanism, the director shall respect personal rights and dignity. |
| |
|
|
