Go To Content

Taoyuan Reform School, Agency of Corrections, Ministry of Justice(Chengjheng High School Taoyuan Branch):Back to homepage


Information Security Policy

  • Publication Date :
  • Last updated:2021-08-24
  • View count:1248

Information Security Policy


  1. Purpose
  2. Legal basis
  3. Principle of information security
  4. Definition of information security
  5. Scope of information security
  6. Objectives of information security
  7. Organization for information security
  8. Principle of allocation of information security responsibility
  9. Principle for categorization, classification, and evaluation of assets
  10. Classes of unacceptable risks
  11. Applicability declaration     


  1. Purpose

Dun Pin High School formulates this policy in order to strengthen its information security management and that of its subordinate organizations; establish a credible information environment for the judicial system; ensure the security of data, systems, equipment, and network; and safeguard public rights and interests.


  1. Legal basis

This policy is based on the “Key Points for Information Security Control of the Executive Yuan and Its Subordinate Agencies” and has taken reference of the “Regulations Governing the Executive Yuan’s and Its Subordinate Agencies’ Information Security Control,” the ISO27001 standard for information security management system, and Dun Pin High School’s requirements. It is intended to establish an information security control system, strengthen the protection for information security, and raise the standard of information security.


  1. Principle of information security

Information security is considered everybody’s responsibility.


  1. Definition of information security

The so-called information security refers to the application of control procedure and protection technology to all information operations—including software used in various information systems, hardware equipment, media for storing various information and data, and various productions of printers—for securing information collection, processing, transmission, storing, and circulation.


  1. Scope of information security

a.Allocation of information security responsibility

b.Personnel management and information security education and training

c.Security control for computer systems

d.Network security control

e.Control on system storage and retrieving

f.Security control for system development and maintenance

g.Security control for information assets

h.Physical and environmental security control

i.Control on plans for business continuity management

j.Information security auditing

k.Report and management on information security incidents

  1. Objectives of information security

a.Protect the confidentiality of information and prevent illegal use

   No more than five illegal cases of storing or retrieving information are         allowed in one organization each year.

b.Ensure the availability and integrity of assets

  The number of business stoppages caused by information security incidents       in  an organization is limited to three in half a year, and each time shall not       exceed 36 hours.

c.Ensure the effectiveness and continuity of business operations

  At least two situational exercises prescribed in the “Plan for Business       Continuity management” shall be held, and at least one exercise on all the   situations set forth in the plan shall be carried out each year.

d.Ensure staff members’ awareness of information security up to a certain level

  Every staff member shall receive at least four hours’ information security     education and training each year.

e.Ensure the consistency of information security measures with policy and     regulation requirement

Dun Pin High School conducts at least two internal audits each year. Its subordinate organizations shall conduct at least one internal audits each year.

  1. Organization of information security

a.Dun Pin High School has established a “Dun Pin High School Management Review Board on Information Security” (hereinafter referred to as the management review board) to serve Dun Pin High School’s and its subordinate organizations’ highest body for information security control. The management review board is responsible for formulating and regularly evaluating its information security policy, for coordinating the information security plans and for marshalling the resources. Dun Pin High School’s vice minister and its director of the Secretarial Office serve as convener and deputy convener of the management review board respectively. The director of Dun Pin High School’s Department of Information management acts concurrently as it executive secretary and the directors and heads of all other departments and offices are its members. Staff and clerical support is provided by the Department of Information management.


b.Dun Pin High School has set up a “Dun Pin High School Information and Communication Security Task Force” (hereinafter referred to as the Task Force) to supervise various organizations in preventing and reporting information and communication security incidents and handle related affairs. The Task Force is headed by the director of Dun Pin High School’s Department of Information management who is assisted by the deputy director of the department. The Task Force is composed of section chiefs and related officials and is divided into three subgroups: the security prevention subgroup, the crisis handling subgroup, and the auditing subgroup. An executive task force is established in each of Dun Pin High School’s subordinate organizations.


  1. Principle of allocation of Information security responsibility

a.The Department of Information management is responsible for formulating security policy, plans, measures, technological regulations, and the study of security technology.

b.The various business departments are responsible for the study of security requirements of data and information systems, the control and protection in their use.

c.In executing various information operations, all are required to observe the “Key Points for Information Security Control of the Executive Yuan and Its Subordinate Agencies,” the “Regulations Governing the Executive Yuan’s and Its Subordinate Agencies’ Information Security Control,” the “Act for Protecting Computer-processed Personal Data” and other related regulations, including agreements Dun Pin High School has signed with a third party.

d.The Department of Information management is responsible for coordination with other units on joint conduction of information security education and training.

e.In Dun Pin High School, auditing is the responsibility of the Department of Information management and the Department of Government Employee Ethics . In its subordinate organizations, it shall be done by their respective information units and government employee ethics units. For it’s subordinate organizations , it shall be performed by Dun Pin High School Department of Information management and the Department of Government employee Ethics in conjunction with business departments.

f.Evaluation of personnel security is the responsibility of government employee ethics units.

g.When a crisis or disaster arises in Dun Pin High School’s information and networks systems due to sabotage or improper use, the Task Force shall take emergency measures as soon as possible in accordance with Dun Pin High School’s “Plan for Business Continuity management”; the handling procedure shall be recorded for reference.

h.When a Dun Pin High School staff member violates the information security provisions, he or she shall be dealt with according to the “Dun Pin High School Penalty Standard for Staff Members.” If Article 2 of the Public Service Act is involved, the violator shall be dealt with in accordance with Article 19 of the Act. If he or she is suspected of violating the Criminal Code, the violator shall be referred to the judicial organization for investigation. If national compensation is involved, the responsibility shall be pursued in accordance with the National Compensation Act and other laws. A violator not belonging to Dun Pin High School shall also be pursued for criminal or civic code responsibility according to related laws.


  1. Principle for categorization, classification, and evaluation of assets


In accordance the nature of operation, assets are divided into six categories: information asset, physical asset, software asset, service, written document, and personnel.


Assets are evaluated in accordance with confidentiality, integrity, and availability to reflect their value.


The class of a risk to an asset is evaluated in accordance with weakness, threat, and impact. After classification and evaluation, the asset is subjected to an appropriate degree of security control according to its value.

  1. Class of unacceptable risks

After evaluation, assets are divided into different risk classes, and for those above the level unacceptable risk index, a “Risk Improvement Plan” shall be formulated as basis of supervision and control, and its execution shall be tracked to ensure thoroughness.

  1. Applicability declaration

Dun Pin High School will, in keeping with ISO27001 standards, demand a statement of applicability to document whether the control standards and measures are applicable and, if not, the causes for inapplicability. When the organizational structure, personnel, equipment, and physical environment change, the management review board shall redefine the applicability of control measures.




Go Top