The information security policy declared:
The Keelung Customs has established Information Security Policy (the policy) to protect the security of related information assets (including data, systems, equipments, etc.), and to prevent the information security event which will affect confidentiality, integrity and availability of information during the process of cargo clearance.
The policy is based on “Executive Yuan and its subordinates Information Security Management Point,” “Executive Yuan and its Subordinates Information Security Management Constraints,” “Ministry of Finance and its Subordinates Information Security Management Principles,” “Directorate General of Customs, Ministry of Finance and its Subordinate Offices Information Security Management Operation Regulations,” “Customs Law,”“Data Protection Law,” relevant decrees and regulations, etc. The policy is also considering customs clearance requirements.
The policy is applied to all employees (including contract workers, part-time workers, janitors, alternative military service men), contractors and outsourcing companies.
The essence of the information security is divided into three categories:
Prevent the disclosure of information to unauthorized individuals or entities.
Protect accuracy and completeness of information assets
For any information system to serve its purpose, the information must be available when it is needed for authorized entities.
Besides the above three categories, the essence of the information security can also be categorized into authenticity, accountability, non-repudiation and reliability according to the business operation.
Validate user login.
Keep audit track for user operation.
Users cannot deny having sent the message, and the recipient cannot deny having received the message.
Make sure operation has conformance.
5. Information Security Vision
Provide a convenient and safe Cargo Clearance Service environment.
6. Information Security Management Index
To meet the expectation and demand of information security policy, and to effectively monitor the whole information security management system, the Keelung Customs Office establishes the following information security management system indexes based on the policy and organizational development needs:
The Cargo Clearance Automation System and Custom Administration System shall have account privilege control procedure and verification at least once a year.
The security incident of Cargo Clearance information must not occur more than three times every year.
The major security incident (classified information leaking, hacker attack) must not occur more than two times every year.
No un-authorized access to Cargo Clearance Automation System and Customs Administration System.
Review whether the information classification is proper protected at least once a year.
Manage access privilege, threats and vulnerability of information system.
The servers having information asset value equal to 3 and 4 needs to be patched in one working day after major Microsoft security hole and CERT security report are informed. The target of achievement rate is above 90% in the whole year.
Guarantee the infrastructure of network services availability for Cargo Clearance Automation System is above 99% in the whole year.
Review, maintain and test Business Continuity Plan and meet RTO (Recovery Time Objective) at least once a year.
(1) Security Steering Committee: the Chief Security Officer is chairman and is responsible for reviewing the policy.
(2) The Keelung Customs Office, including its divisions, offices, branches and stations should follow the policy.
(3) All the employees, contractors and outsourcing companies should also follow the policy.
(4) The above personnel are responsible for reporting information security accidents or suspicious information security weakness through incident response process.
8. Information Security Responsibility:
(1) Security Steering Committee shall hold management meeting periodically to review the police and ensure policy status.
(2) Senior management officers must participate in the Security Steering Committee to support information security.
(3) The office shall provide information security training periodically to improve information security awareness.
(4) The office shall set up risk management procedure to evaluate, manage risks effectively to achieve Customs’ vision and to comply with government regulations.
(5) All the employees should follow the information security incident response procedure when discovering information security events or information security vulnerability.
(6) If employees do not follow the policy or act against the policy, they will be punished by related rules.
(7) All the outsourcing companies shall sign up Non Disclosure Agreement (NDA) to follow the policy and related procedures. The use of information assets without authorization is prohibited.
9. Revision and Publishing of the Information Security Policy:
To comply with the latest government regulations, technology and business development, and to maintain the effectiveness of information security operation, the policy shall be reviewed at least once a year.