(Computer and Information Network Center)Information Security Policy

1. Purpose

This policy governs the information security management system of the university to ensure the confidentiality, integrity, availability, and compliance of information assets under its jurisdiction, thereby protecting the rights and interests of all faculty, staff, and students.

2. Scope

This policy applies to university employees, external personnel accessing university business data, outsourced service providers, and visitors.

3. Definitions

3.1. Confidentiality: The characteristic of information being inaccessible or undisclosed to unauthorized individuals, entities, or processes.

3.2. Integrity: The characteristic of safeguarding the accuracy and completeness of assets.

3.3. Availability: The characteristic of authorized individuals having timely and reliable access to and use of information as needed.

3.4. Information Security: The systematic use of controls, including policies, implementation, audits, organizational structures, and hardware and software functions, to protect university information assets from risks such as human error, deliberate attacks, or natural disasters.

3.5. Information Assets: Any information assets used in the university's operations, including internal personnel, external personnel, paper documents, electronic documents, network services, computer software, application systems, computer hardware, network equipment, environmental control systems, building protection facilities, and amenities.

4. Responsibilities

The university has established an "Information Security and Personal Data Protection Promotion Committee" responsible for policy approval and supervision, information security prevention, and crisis management.

5. Requirements

5.1. Information Security Objectives

5.1.1. No leakage of sensitive data from faculty, staff, and students each year.

5.1.2. No tampering of faculty, staff, and student data (e.g., student grades or personal data) each year.

5.1.3. Ensure that the key business system information rooms have an operational availability of over 96.9% during business hours throughout the year, and ensure:

• System or host operational interruptions caused by information security incidents, anomalies, or other security accidents do not exceed eight times per year.

• The maximum downtime for each incident should not exceed eight working hours.

5.1.4. Ensure that key business system services have an operational availability of over 98.4% during business hours throughout the year, with each downtime incident due to information security events, anomalies, or other security accidents not exceeding four working hours.

5.1.5. Follow the "Priority Execution Strategy for Comprehensive Information Security Management" to strengthen advocacy and require all units to implement information security management.

5.2. Information Security Management Requirements

To prevent data misuse, leakage, tampering, or destruction due to human error, deliberate acts, or natural disasters, which could pose various risks and harms to the university. Information security management should cover 14 aspects:

1. Information security policy.

2. Information security organization.

3. Human resource security.

4. Asset management.

5. Access control.

6. Cryptography (encryption control).

7. Physical and environmental security.

8. Operational security.

9. Communication security.

10. Information system acquisition, development, and maintenance.

11. Supplier relationships.

12. Information security incident management.

13. Information security aspects of business continuity management.

14. Compliance.

5.3. Information Security Management Principles

5.3.1. Regularly inventory, classify, and assess the risks of important information assets, and implement appropriate protective measures accordingly.

5.3.2. Differentiate access permissions for important information assets, granting relevant permissions based on personnel duties. Implement encryption and identity authentication mechanisms if necessary to enhance the security of information assets.

5.3.3. Ensure complete reporting and response measures for information security incidents to maintain the continuous operation of information systems and business.

5.3.4. Develop and regularly rehearse business continuity plans to ensure that critical systems and business operations can be restored within the predetermined time frame in the event of an information security incident.

5.3.5. Relevant personnel must receive information security education and training as required to enhance information security awareness.

5.3.6. Conduct regular information security audits to review access permissions and the implementation of information security management systems.

5.3.7. Handle violations of this policy and related information security regulations in accordance with relevant laws or university disciplinary regulations.

5.3.8. Evaluate this policy at least once a year and revise it based on changes in business, technology developments, and risk assessments.

6. Revisions

6.1. Management Review

6.1.1. Ensure the availability, security, and effectiveness of the "Information Security Management System" in practice. Evaluate or revise this policy at least once a year based on changes in business, technological advancements, and risk assessment results, or in accordance with government information security management requirements, laws, technologies, and the latest business developments.

7. Implementation

This policy must be reviewed and approved by the "Information Security and Personal Data Protection Promotion Committee" and announced or communicated to all university units and relevant external units according to the "Document and Record Management Method." The same procedure applies for revisions.