1.Purpose
The Department of Taxation,Taoyuan (the “Department”) hereby formulates this information security policy (the “Policy”) for the purpose of establishing the concept of “information security is everyone’s responsibility” and safeguarding information operations; an information security management system has also been established to keep the information confidentiality, integrity and availability by reducing the risks that may arise from human or natural disasters to information assets.
2.Basis
Personal Information Protection Act
ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements)
ISO/IEC 27002:2013 (Information technology — Security techniques — Code of practice for information security management)
Main Points of Information Security Management for the Executive Yuan and Its Affiliates
Information Security Management Guidelines for the Executive Yuan and Its Affiliates
Code of Practice for Information Security Management of the Ministry of Finance and its Affiliates
3.Vision, objective and scope of information security
- Vision:
Increasingly innovative information technology (IT) requires that departments of taxation update the implementation of their work; in addition to enhancing online service that transcends the limitations of time and space by fully applying IT to perform the functions of an e-government, we also need to put into place a system that is carefully planned beforehand and closely audited afterwards to enable our service personnel to work smoothly and taxpayers to receive revenue information in a integrated, convenient and secure information environment that protects information security.
Therefore, our vision regarding information security is as follows: ensure that information is handled correctly, that it is integrated, that the personnel handling it are loyal, that the software and hardware are reliable, and that the above information assets are protected from interference, damage, intrusion, and malicious acts and attempts.
- Objectives:
Advantages: improve work efficiency by enriching taxation data.
Risk control: enhance risk control by maintaining strict discipline.
Confidentiality: avoid improper use by keeping data confidential.
Operation: reduce security accidents by focusing on sustainable operation.
Implementation: careful planning and close auditing
- Scope:
This Policy applies to all the services of the Department, including the relevant information assets of all of our employees and providers of outsourced services.
4.Information security management principles and the provisions to which employees are to adhere
- Management principle:
Establish a secure and reliable environment for taxation data informationization to ensure the security of information assets.
Clarify the roles of relevant personnel in information security operations, which will serve as the basis for dividing responsibilities and powers among units.
Enhance the promotion of the information security policy and relevant provisions on information security operations to effectively improve the awareness of our employees regarding information security.
Enhance the security and quality of the computer network system to ensure that data are correctly and efficiently transferred on the network.
Specify the permissions to use system and network services at various levels, establish a security control mechanism, and prevent unauthorized access to the system.
Strengthen the development of the application system by effectively preventing risks to the system security caused by Malware and computer viruses.
Establish safeguarding measures to prevent information facilities from being misused or damaged and being used for purposes other than those specified or that are beyond the permitted scope.
Ensure that the information service operates smoothly, avoid risks from human or accidental factors, and enhance protection against such acts as malicious attacks or transfers.
Establish a backup and emergency response mechanism to carry out the sustainable operation of our services.
Establish an information audit system, enhance the control of information services, and effectively apply resources, including computers.
- Service personnel should observe the following precautions:
The information security policy of the Department shall be communicated to all of our employees so that they can properly implement it.
To ensure a secure information environment, relevant units performing services through networks connected to the Department shall comply with the rules formulated by us, including those regarding the obligation to maintain information security and confidentiality.
All of our employees and the manufacturers providing information services to us shall sign confidentiality agreements and comply with the provisions regarding information security; any of them who breaches the aforementioned rules will be dealt with accordingly.
5.Organization of the information security work
A commission on information security management has been planned to implement the Policy.
6.Handling information security events
The procedure for managing the information security events of the Department will be developed on the basis of the “Regulations for Reporting and Responding Cyber Security Incidents” promulgated by the National Information and Communication Security Taskforce, the Executive Yuan and will become applicable in case of information security events.
7.Assessment and review of this Policy
This Policy will be reviewed at least once a year to ensure that the information security practices remain effective and viable by making it reflect the latest policies, regulations, technologies regarding governmental information security, and the recent status of our services.
This Policy will be first reviewed by the information security management commission, then submitted to the director for approval, provided that it will be promulgated once approved by the director; this provision is also applicable to any amendments to this Policy.