Declaration of Information Security Policy
The core businesses of Kaohsiung Customs (abbreviated as KHC) are Cargo Clearance Automation System and the relevant. For ensuring the security of information assets (including data, system, equipments, etc) related to the core businesses, KHC formulates Information Security Policy (hereinafter referred to as this policy), in protection against external threats and improper internal management and uses leading to data tampering, disclosure, destruction, loss, etc.
This policy is based on laws, regulations, and clearance requirements, including “Cyber Security Management Act”,“Customs Act”,“Personal Data Protection Act”, “Cyber Security Policy and Organizational Management Constraints for Ministry of Finance and its Subordinates”, “Information Security Policy for Customs Administration, Ministry of Finance”, “Personal Data Protection Management Directions for Kaohsiung Customs, Customs Administration, Ministry of Finance”, etc.
KHC vision is to provide convenient and safe Customs clearance service.
IV. Information Security Policy
- Essence of information security
The essence of information security is roughly categorized into three:
Information assets shall provide instant and correct service to fulfill requirements of the authorized users.
Information assets shall be categorized in accordance with their importance and be properly protected for their integrity.
Information assets shall be inaccessible to the unauthorized users.
In accordance with organizational development and requirements, based on this policy, KHC establishes an integral, feasible, effective Information Security Management System (abbreviated as ISMS) under the consideration of the risk of information assets for fulfilling the expectations and requirements of KHC. The ISMS provides the best protection for KHC information security.
- Performance Measurement Indicators
KHC periodically conducts a statistical survey on the performance measurement as a basis of the assessment of ISMS. In order to meet the requirements, here are indicators:
- Cargo Clearance Automation System shall be ensured for 99 percent of the availability every year.
- The notification and response operation of cyber security incident shall be conducted within the timeframes prescribed in “Regulations on the Notification and Response of Cyber Security Incident”.
- Information security measurement and regulations shall conform with the existing laws. (Information audit shall be conducted at least once every year.)
- Feasibility of sustainable management plans shall be maintained and tested (be tested at least once every year).
- Information assets shall be appropriately safeguarded with the internal controls and against the unauthorized illicit accesses. (User permission shall be checked at least once every half year.)
- Personnel shall be provided with information security training in accordance with the job and responsibility (Personnel shall receive information security general education for at least three hours every year.)
- Conforms to “Matters to be Conducted by the Government Agency of Cyber Security Responsibility Level-C.”
This policy is suitable for all personnel (including maintenance and technical workers, contract employees, and student workers), contractors, outsourcing contractors, and all relevant information assets of KHC.
VI. Responsibility Assignment
- Every chief director from KHC departments (offices and branches) shall actively participate in ISMS activities in support of the ISMS.
- “Information Security Handling Group” is responsible for the maintenance and fulfillment of the KHC information security. The group's responsibilities are defined in the KHC documentation, “Responsibilities and Arrangement Procedure of Information Security Organization”.
- KHC departments (offices and branches) shall follow the proper procedure and fulfill the requirements of this policy.
- All personnel, contractors, and outsourcing contractors shall follow this policy.
- The above-mentioned staff shall follow proper procedure to report information security incidents and suspicious information security flaws.
VII. Risk Assessment and Management
In order to achieve the vision and goal of this policy, KHC establishes “Risk Assessment and Management Procedure” to manage information assets and to lower their risks to an acceptable level.
VIII. Information Security Policy Compliance
- Corresponding punishment or legal action will be pursued against the personnel, contractor, or outsourcing contractor, who doesn't follow this policy, the relevant information security regulations or is involved in any behavior threatening to KHC information security. The award will be presented to those who provide suggestions for improvement on information security regulations or techniques with proven success.
- All personnel shall sign “Confidentiality Agreement on Customs Personnel Information Security”; in accordance with the contracts, contractors and outsourcing contractors shall sign “Confidentiality Agreement for Contractors” and “Confidentiality Agreement for Contractors’ Employees” and understand that information, which belongs to KHC if it's acquired during the work, shall be banned from the unauthorized uses.
VIIII. Revision of Information Security Policy
This policy shall be assessed to ensure the effectiveness of information security practice at least once every year for reflecting present government regulations, techniques, businesses, etc.