The Customs Administration (hereafter referred to as the bureau) core operation is Cargo Clearance Automation System and its related operations. In order to protect the bureau core relevant information assets security (information assets include data, systems, equipments, and etc.), avoid external threat or inside personnel improper management and use, cause the risk of garbled, disclosed, destroyed or lost etc., we redact Information Security Policy (hereafter referred to as the policy).
The policy is defined according to including "Executive Yuan and its subordinates Information Security Management Point", "Executive Yuan and its Subordinates Information Security Management Constraint", "Ministry of Finance and its Subordinates Information Security Management Principle", "Directorate General of Customs, Ministry of Finance and its Subordinate Offices Information Security Management Operation Regulation", "Customs Law", "Data Protection Law" relevant decrees and regulations ,etc. and considering customs clearance requirement.
The bureau vision is: To provide convenient, efficient and safe customs clearance service.
4. Information security policy:
4.1 The essence of information security
There are three categories for the essence of the information security roughly:
Guarantee that every information assets can offer instant and correct service, in order to meet the user's demand.
Depend on information assets the importance classification and offer the proper protection to ensure integrality of information assets.
Properly divide data secret grade and give proper norm and protection in accordance with its secret grade.
According to the characteristic of the bureau key business and scene of wishing, information security ensure the integrality, usability and confidentiality of the Cargo Clearance Automation System and relevant business information assets.
In order to achieve the expectation and requirement of the bureau toward information security maintenance, we will based on this policy, will according to the organization request and consider the information assets risk, to establish an integral, feasible, effective information security management system (hereafter referred to as ISMS), so as to provide the best guarantee to the bureau information security.
Conform with the control goals of ISO27001 standard: According to operation requiring and relevant laws and regulations, offer instruction and support on the information security to the layers of management. - Clause A.5.1
Scope of ISMS:
- the Cargo Clearance Automation Systems which including CPT Single Window and Advance Cargo Information System execution within Department of Planning, Department of Audit Affairs, Department of Investigation, Department of Customs Clearance Affairs, Department of Tariffs and Legal Affairs, Statistics Office, Accounting Office, and Civil Service Ethics Office.
- the Cargo Clearance Automation Systems development, maintenance, operation, execution, and related infrastructure security controls within Department of Customs Information Management.
Whether for reach above-mentioned purpose, the bureau divides two types of the relevant policy into quantitative and qualitative.
- Guarantee the services availability of Cargo Clearance Automation System reach above 99.6% the whole year.
- The incidence happened less than two times every half year.
- Whether goods clear customs "Q&A form" (the document number: 0154029) of Cargo Clearance Automation System, Dealing with the information management department after receiving, need to finish in five days, the target of achievement rate is 96% in the whole year.
- Guarantee that relevant information security measure or norm accord with the current information security management standard, the requests (check once at least each half a year) of operating and relevant laws and regulations.
- To maintain and test feasibility of enterprise everlasting management plan (Test it once every half year at least).
- In accordance with its function of office and responsibility refer to "the hierarchical homework of the grade of responsibility of information security of government bodies (construct) implement the plan" the hours of education and training are fitted in the normal requirement, grant staff's to train properly information security and relevantly.
- Set up information assets risk assess, assess risk once every year at least.
- Reinforce internal control, check user permissions of information system to prevent unauthorized access and assure proper protection of information assets. The correct rate of each permission review should be above 92%.
- The cases of high risk weakness that have not been patched within a month after detection should not exceed two.
5. Scope of application:
This policy is suitable for all colleagues of the bureau (including skilled worker, employed-by-contract, work-study and alternative-military-service) in every tariff bureau, signing vender, the outsourcing vender and relevant information assets.
First, every department (office) first class executive manager of the bureau should actively participate in the ISMS activities, offer the support of the ISMS correctly.
Second, the bureau and every tariff bureau deal with the maintenance and implementation that the group is responsible for this information security of the bureau, about the duty of this group ones that please refer to information and organize security are in charge of and the division procedure documentation.
Third, this every department (office) of the bureau should implement the request for a policy through the proper procedure.
Fourth, all of the colleagues, every tariff bureau, signing manufacturer, the outsourcing companies have responsibility to follow this policy.
Fifth, above-mentioned personnel are responsible to report information security accident t or suspicious information security weakness through proper report mechanism when they found.
7. Risk assessment and management:
The bureau accords with the quantitative and qualitative policy goal in order to reach the vision, Specially make risk assessing and procedure, in order to manage the information assets risk, reduce the risk to accept the range.
8. Compliance of the information security policy:
- all of the colleagues, every tariff bureau, signing manufacturer, the outsourcing companies has not followed a policy or relevant information security regulations, or any other behaviors of threatening the of information security of the bureau, will all appeal to the proper punishment procedure or legal action. As to the thing that the decree of information security or the technology offer and improve the suggestion, the persons who really have effects through carrying out should reward properly.
- all colleagues of the bureau is required to sign "Confidential Agreement on Customs Personnel Information Security Responsibility", and be award of all information accessed during working period in the Customs Administration asset belong to The Customs Administration and not allowed to be used on other unauthorized purpose.
9. Revision of the information security policy:
This policy should be reappraised at least once a year to reflect up-to-date status of government regulation, technique and operation and to ensure effectiveness of information security practice.