Railway Reconstruction Bureau - Information Security Policy Railway Reconstruction Bureau
https://www.rrb.gov.tw ::: 中文版 | English | Site Map | FAQ | RSS | Search
Railway Reconstruction Bureau, MOTC
本局榮獲ISO 9001:2008認證
:::
*
Information Security Policy
Index > Information Security Policy
I. Establishment of Information Security Policy


1. Objective


The Railway Reconstruction Bureau (RRB) has established information application systems, in accordance with the stipulations of the "Information Management Rules for the Executive Yuan and Its Subordinate Agencies," "Information Security Management Guidelines for the Executive Yuan and Its Subordinate Agencies," and the "Personal Information Protection Act," and in consideration with the operational needs of the RRB, in order to reinforce its information security management.

2. Scope


This policy applies to personnel within the RRB's organizational allocation, contract personnel, transferred personnel, outsourcing companies, and all related information assets and agencies with online operations linked to the RRB, and is made known to the public via written, electronic, or other means, with the expectation that it will be observed by all so as to protect the security of information collection, processing, transmission, storage, and circulation.

3. Definitions


The nature of information security can be classified into three types:


i. Confidentiality: Information assets are graded as to the degree of its confidentiality, and is given the standards and protection appropriate to that degree of confidentiality.


ii. Integrity: The integrity of all information assets is protected so that it may be appropriately utilized by the organization.


iii. Availability: Timely and accurate services are assured for all items of information assets in order to satisfy the needs of users.


Information security policy should be maintained by designated persons or units, with the information security organization carrying out necessary evaluation and adjustment on a regular basis so as to maintain the appropriateness and effectiveness of information security policy.

II. Information Security Policy Goals


1. Assurance of information availability and integrity, and protection of the right of the people to use transportation facilities.

2. Assurance of information confidentiality, and protection of the privacy of the information of online agencies and the public.

3. Assurance of information accuracy, and assurance of the quality of information systems used by online agencies and the public.

Goals are established in accordance with the security policy described above to serve as indexes for the maintenance of information security.

1. A permanent organization in overall charge of information security operations.

2. The latest and most accurate list of information assets.

3. Demarcation of use and authority that conforms to security regulations, appropriate provision of training in information security, and provision of information to personnel of reporting procedures for security incidents.

4. Establishment of protection measures, security equipment, and general control principles for tangible assets.

5. Security control measures for communications and information operations.

6. Clear and appropriate control procedures for information storage and retrieval.

7. Software development and maintenance encompassed within security considerations.

8. Continuous operation of organizational functions.

9. Establishment of an information and communications security auditing system and implementation of internal auditing for information and communications security so as to assure the security of RRB information.

10. Assurance of security conformity by operations outsourced from the RRB, establishment of related control mechanisms, and implementation of outsourcing management.

11. Conformity with policy of communications and information operations.

III. Responsibilities and Obligations


1. The information security organization should provide clear directions for the timely revision of this policy so as to assure that the policy meets current needs.

2. Ranking RRB officials should participate actively in information security management activities, give information security their support and commitment, and re-examine this policy when necessary.

3. Personnel should carry through with the requirements of this policy through appropriate procedures.

4. All of the personnel within the RRB's organizational allotment, contract personnel, transferred personnel, outsourcing service companies, and all agencies that are related to information assets that are online with the RRB must observe this policy.

5. All related RRB personnel should report, through appropriate reporting mechanisms, any information security incidents or weaknesses which they discover.

6. Any RRB employee who fails to observe this policy or who engages in any behavior that threatens the security of RRB information will be subjected to appropriate punishment or legal action.

7. All related RRB personnel must sign a secrecy protection agreement and understand that all information obtained during employment with the RRB is RRB assets and may not be utilized for other unauthorized purposes.

IV. Review and Revision of Information Security Policy


1. Review


This policy is maintained by designated personnel or a designated unit, with the information security organization carrying out necessary review and adjustment on a regular basis so as to maintain the appropriateness and effectiveness of the information security policy.

2. Revision


This policy should be revised by the information security organization on a regular basis once a year or in accordance with changes in the RRB's organization, functions, or environment, with the revision being implemented, following approval, so as to conform to current conditions.
  Copyright © 2008 Railway Reconstruction Bureau, Ministry of Transportation and Communications. All rights reserved.
20F., No.7, Sec. 2, Xianmin Blvd., Banqiao Dist., New Taipei City 220, Taiwan (R.O.C.)
Tel:+886-2-8969-1900 Fax:+886-2-8969-1823
Privacy PolicyInformation Security PolicyGovernment Website Open Information Announcement
A+ Accessibility Level gov