The Legislative Yuan (referred to as "this Institution" hereunder) of the Republic of China (R.O.C.) specially stipulates this Guideline to maintain overall information security, strengthen security management for all its information assets, and ensure their confidentiality, integrity, availability, authentication, and non-repudiation, in response to the needs of business operations for proper support of legislators to exercise their authority of office according to law.
- Confidentiality ensures only those people who have been authorized can have access to information assets.
- Integrity ensures the accuracy and integrity of handling methods for information assets.
- Availability ensures that authorized users may use information assets when they need them.
- Authentication ensures the identity of an entity on the Internet is true to what he declares or the information received via the Internet is really sent by the sender.
- Non-repudiation refers to the undeniability of the information which the sender end agrees to send, or the transaction behavior he has completed.
The term "information security" referred to in this Policy is defined as protecting information assets against all kinds of incident threats, such as improper use, leakage, tampering, stealing, destruction, etc., and reducing the damage level that might otherwise affect and endanger this Institution's business operations.
The information assets called by this Guideline refer to information collected, produced and used by this Institution, as well as related equipment necessary for completing the above work.
III. SCOPE OF APPLICATION
This policy applies to all information assets of this Institution and their information users.
- "Information users" include legislators, assistants, staff, contract employees, technical workers, maintenance workers, establishment and maintenance service providers, and other people who have been authorized to access information assets.
IV. LAW REFERENCE SOURCES
This Guideline and all collateral regulations formulated based upon it (referred to as the "information security management system" hereunder) were formulated by making reference to the Computer-Processed Personal Data Protection Law, the Copyright Law, the National Secrets Protection Law, the Electronic Signature Act, as well as other related standards. Information users shall observe them adequately. In case of violation, proceedings shall be undertaken according to related laws and decrees.
- In addition to the laws and decrees mentioned in Article IV, the following are important reference standards for this Institution's information security management system.
- Information security standards of the International Organization for Standardization (ISO17799:2000; Information Technique—the Code Of Practice For Information Security Management)
- Information security standards of the Bureau of Standards, Metrology and Inspection, Ministry of Economic Affairs (MOEA). (CNS17800; Information Technique - Information Security Management Systems).
- Information security standards of the British Standards Institution (BSI) (BS7799:2002; Information Security Management)
- All collateral regulations stipulated in accordance with this Guideline are as follows: certificate policy, information security organization operating principles, information security document management, information assets categorization and classification, Internet security management, host security management, information application system security management, general information equipment management, PKI information security management, computer room management, information security reporting management, information security audit, information access control, office area management, outsourcing management, information security risk assessment and management, etc.
To materialize information security management, this Institution shall set up an interagency Information and Communication Security Taskforce (ICST) in charge of review and approval of this Guideline and of matters related to advancing information security management systems.
The ICST consists of the Information Security Audit Team (ISAT) and the Information Security Team (IST) of the Department of Information Management, both teams separately in charge of consolidating information security audit and planning of all kinds of operating principles.
VI. INFORMATION ASSET SECURITY
- The following organization shall be set up in order to advance information security management systems.
- The ICST is staffed with a Convener, whose post is held concurrently by the Secretary General, and a Secretary, whose post is held concurrently by the Director of the Department of Information Management.
- Staff members for the ISAT are appointed by the Convener.
- Staff members for the IST are appointed by the Secretary.
- Operating principles for the information security organization shall specify the following:
- Information security organization layout, responsibility, and modus operandi.
- Information and communication security meeting and frequency of convening an IST meeting and its agenda.
- Qualifications and educational training of information security organization personnel.
To safeguard this Institution's information assets, an information asset inventory shall be created for categorizations and classifications, and corresponding control measures shall be formulated.
VII. PERSONNEL AND SECURITY
- This Institution's information assets are divided into information assets (e.g., archives, system documents, databases), physical assets (e.g., computer hardware, communication equipment), software assets (e.g., applications, system software), service assets (e.g., power supply and air conditioning).
- The information asset inventory shall identify information asset category, owner, user, and confidentiality level.
- Operating principles for categorization and classification of information assets shall specify the following:
- Information asset categorization principles.
- Information asset classification principles.
- Information asset control measures.
To diminish the influence of internal human factors upon this Institution's information security, all units shall carry out a division of labor and rotation measures by taking into account manpower and responsibility.
This Institution shall implement information security education and training and awareness promotion as needed in order to increase personnel's understanding of information security.
VIII. OUTSOURCING MANAGEMENT
- "All units" include research rooms and service offices of all legislators and offices of all caucuses.
To enhance outsourcing security, this Institution shall demand contractors sign a confidentiality agreement and manage limits of authority for project personnel and dispatched personnel regarding access to all information assets.
IX. RISK MANAGEMENT
- Operating principles for outsourcing management shall specify the following:
- Regulations for confidentiality agreements.
- Outsourcing performance appraisal.
- Management of personnel dispatched by service providers.
- Regulations for outsourcing personnel access.
To effectively tackle threats, vulnerabilities and impacts that confront various information assets of this Institution, this Institution shall conduct risk assessment and carry out necessary risk management.
X. PHYSICAL SECURITY
- Threats refer to external security impacts posed to information assets, such as fires, floods, hacker attacks.
- Vulnerabilities refer to influences brought about due to inadequate security controls, such as human negligence and network loopholes.
- Risk assessment refers to the process of confirming information security during which threats and vulnerabilities for all information assets are assessed in order to generate a risk value and confirm their adequacy of control.
- Risk management means that within an acceptable cost, factors that may affect information security are confirmed and controlled to reduce their impact.
- Operating principles for risk assessment and management shall specify the following:
- Information security risk assessment procedure.
- Information security risk management procedure.
- Information security risk assessment timing
A security management regulation shall be put in place to ensure the continuous operations of the computer room and the security of the operating area of information assets.
XI. SECURITY OF HOST SYSTEMS
- Operating principles for management of the computer room shall specify the following:
- Routine inspections on equipment in the computer room.
- Guidelines for use and management of information equipment and information media in the computer room.
- Access control.
- Operating principles for management of the office area shall specify the following:
- Desk clearance management.
- Screen saver setting.
- Fax (machine) data management guidelines.
- Equipment security management.
- Operating principles for management of general information equipment shall specify the following:
- Personal computer (PC) management.
- PC disposal
A security technique regulation shall be put in place to ensure security of host operating platforms and databases and to standardize operating procedure.
XII. SECURITY OF HOST SYSTEMS
- Host systems refer to large-sized computer, server, database, etc. Operating platforms include Windows server, Unix, network server.
- Operating principles for management of host system security shall specify the following:
- Operating platform establishment standards.
- Normal operation management.
A standard control and acceptance procedure shall be put in place to ensure security of development, testing, commissioning, and maintenance of application systems.
XIII. INTERNET SECURITY
- Application systems refer to management information system and application service system.
- Operating principles for management of application system security shall specify the following:
- Development and management of application systems.
- Acceptance and testing of application systems.
- Commissioning operations of application systems.
- Maintenance of application systems.
Management regulations shall be formulated to ensure security of network service and use.
XIV. CERTIFICATE SECURITY
- Operating principles for management of network security shall specify the following:
- Installation and maintenance of network equipment.
- Firewall establishment and management guidelines.
- Network security supervision and inspection guidelines.
- Computer virus prevention guidelines.
- Invasion detection system (IDS) guidelines.
To serve as a basis for certificate application and use, a certificate policy and practical certificate operating criteria shall be instituted and then assessed and revised on a regular basis.
XV. ACCESS SECURITY
- This certificate policy shall specify the following:
- Certificate application, approval and issue.
- Certificate downloads.
- Responsibility of certificate management unit.
- Certificate revocation.
- These practical certificate operating criteria shall specify necessary procedure for managing practical certificate operations regarding the content of the certificate policy, and carry out revisions according to changes in certificate standards.
To avoid unauthorized access to information assets leading to improper use of confidential or sensitive information, related limits of authority shall be granted to personnel by taking their functions into account. If need be, encryption and decryption and ID authentication mechanisms may be adopted to enhance information security.
XVI. MANAGEMENT OF INFORMATION SECURITY INCIDENTS
- Currently this Institution may adopt a Public Key Infrastructure (PKI) for encryption, decryption and ID authentication technique. A PKI refers to the mechanism in which public keys and electronic certificates are used to ensure security in electronic information exchanges and to confirm the other party's ID.
- Operating principles for information access control shall specify the following:
- Differentiation and management of limits of authority for user access.
- Management of accounts and passwords for host platform users.
- Account management mechanism for network equipment and system managers.
- Connection management mechanism for notebook computers.
- Management mechanism for use of wireless devices, portable mobile equipment, etc.
- Operating principles for management of PKI information security shall specify the following:
- Guidelines for use and management of blank chip cards (CA).
- Guidelines for application and management of PKI certificates.
To reduce damage caused by information security incidents, an information and communication security reporting and management procedure shall be established and recorded.
XVII. SUSTAINABLE OPERATIONS AND MANAGEMENT
- Information security incidents refer to:
- Internal security incidents: malicious destruction and damage, negligent operations, information stealing, etc., that are found (or suspected).
- External attacks: viral infections, hacker attacks (or illegal invasions).
- Natural disasters: typhoons, floods, earthquakes.
- Sudden and unexpected incidents: fires, explosions, etc.
- Operating principles for information security reporting management shall be formulated in accordance with the reporting regulations of the National Computer Emergency Response Team (NCERT), and specify the following:
- Set up an information security incident reporting procedure.
- Set up an information security incident analysis and management procedure.
- Information systems and data backup.
- Disaster recovery plan
To protect information assets against disasters affecting sustainable operations of business, a response and recovery plan shall be drawn up, and tests and drills shall be conducted on a regular basis.
XVIII. AUDIT AND MANAGEMENT OF INFORMATION SECURITY
- Disasters refer to damage caused by information security incidents.
- Operating principles for management of sustainable operations shall specify the following:
- Disaster management process.
- Disaster management process for offsite backup room.
- Application system recovery management process.
- Priority of recovery of critical business.
- Analysis on loss of business suspension and backup measures.
- Local backup management regulations.
To materialize the information security management system, the Information Security Audit Team (ISAT) shall formulate an audit plan and carry it out on a regular basis.
- The information security audit task may be implemented by internal or external qualified personnel and shall be independent and objective.
- To draft an internal audit plan for information security, reference shall be made to past audit results in order to decide the scope and priority of audit .
- Operating principles for management of information security audit shall specify the following:
- Formulation of audit plan.
- Scope, frequency, methods of audit.
- Audit record and report.
- Improvement actions and follow-ups
This Guideline shall be reviewed yearly to reflect the latest standards, techniques and status of business.
All collateral regulations are revised by the Information Security Team (IST) of the Department of Information Management as needed. Should content involve changes in interagency responsibility, it shall be reported to the Information and Communication Security Taskforce (ICST) before being undertaken.
XX. AWARENESS PROMOTION
- Operating principles for management of information security documents shall specify the following:
- Outlines of document content.
- Document change management.
- Document numbering.
- Changes to the version of this Guideline shall be in accordance with the operating principles for management of information security documents.
This Guideline shall be promoted on a regular basis.
References: CNS17800 & BS7799 information security standards: information security management requirements 2002.
This Guideline takes effect after being ratified by the President of the Legislative Yuan.