|Information technology plays a vital role in the business systems of Taiwan Railway Administration (hereinafter referred to as the Administration) such as: the office automation system, the business information system and the personnel and salary system, etc. Information resources form an important part of the assets of the Administration, and therefore, shall be protected properly.
In order to ensure normal operation of all businesses of the Administration, non-stop operation of all information systems is necessary. Because of the wide use of the Internet, information systems of the Administration must be connected with outside information systems. As a result, new management issues, challenges and responsibilities appear. Potential risks do exist in the processing of information by information systems of the Administration and information generated by office software packages. Therefore, we shall tighten management measures in order to avoid adverse influences on businesses of the Administration caused by human or external factors. So, the establishment and execution of the information security mechanism of the Administration is an urgent task.
Information security refers to the continuous use of various kinds of information. In establishing the information security and control system, priority shall be given to the protection of information and information systems. The establishment of an effective information security and control mechanism needs supports from the higher level of the Administration and all colleagues, as well as the preparation of, and the adherence to, all operation specifications. Information security policies include the following important items:
I. Establish ways to develop, maintain, and operate our information security management system;
II. Decide on the objectives of information security;
III. Establish organizations responsible for information security and determine their responsibilities;
IV. Decide on the principles for executing information security measures.
We shall carry out information security trainings of related personnel and have them acquire a complete knowledge of the confidentiality, integrity and availability of information assets, and protection measures, with the aim of ensuring the implementation of the policy. This policy includes: purposes, objectives, statements, application scope, organizations and responsibilities, implementation modes and principles, etc.