Principle of information security
Definition of information security
Scope of information security
Objectives of information security
Organization for information security
Principle of allocation of information security responsibility
Principle for categorization, classification, and evaluation of assets
Classes of unacceptable risks
The Ministry of Justice (MOJ) formulates this policy in order to strengthen its information security management and that of its subordinate organizations; establish a credible information environment for the judicial system; ensure the security of data, systems, equipment, and network; and safeguard public rights and interests.
2. Legal basis
This policy is based on the “Key Points for Information Security Control of the Executive Yuan and Its Subordinate Agencies” and has taken reference of the “Regulations Governing the Executive Yuan’s and Its Subordinate Agencies’ Information Security Control,” the ISO27001 standard for information security management system, and the MOJ’s requirements. It is intended to establish an information security control system, strengthen the protection for information security, and raise the standard of information security.
3. Principle of information security
Information security is considered everybody’s responsibility.
4. Definition of information security
The so-called information security refers to the application of control procedure and protection technology to all information operations—including software used in various information systems, hardware equipment, media for storing various information and data, and various productions of printers—for securing information collection, processing, transmission, storing, and circulation.
5. Scope of information security
a. Allocation of information security responsibility
b. Personnel management and information security education and training
c. Security control for computer systems
d. Network security control
e. Control on system storage and retrieving
f. Security control for system development and maintenance
g. Security control for information assets
h. Physical and environmental security control
i. Control on plans for business continuity management
j. Information security auditing
k. Report and management on information security incidents
6. Objectives of information security
a. Protect the confidentiality of information and prevent illegal use
No more than five illegal cases of storing or retrieving information are allowed in one organization each year.
b. Ensure the availability and integrity of assets
The number of business stoppages caused by information security incidents in an organization is limited to three in half a year, and each time shall not exceed 36 hours.
c. Ensure the effectiveness and continuity of business operations
At least two situational exercises prescribed in the “Plan for Business Continuity management” shall be held, and at least one exercise on all the situations set forth in the plan shall be carried out each year.
d. Ensure staff members’ awareness of information security up to a certain level
Every staff member shall receive at least four hours’ information security education and training each year.
e. Ensure the consistency of information security measures with policy and regulation requirement
The MOJ conducts at least two internal audits each year. Its subordinate organizations shall conduct at least one internal audits each year.
7. Organization of information security
a. The MOJ has established a “MOJ Management Review Board on Information Security” (hereinafter referred to as the management review board) to serve the MOJ’s and its subordinate organizations’ highest body for information security control. The management review board is responsible for formulating and regularly evaluating its information security policy, for coordinating the information security plans and for marshalling the resources. MOJ’s vice minister and its director of the Secretarial Office serve as convener and deputy convener of the management review board respectively. The director of the MOJ’s Department of Information management acts concurrently as it executive secretary and the directors and heads of all other departments and offices are its members. Staff and clerical support is provided by the Department of Information management.
b. The MOJ has set up a “MOJ Information and Communication Security Task Force” (hereinafter referred to as the Task Force) to supervise various organizations in preventing and reporting information and communication security incidents and handle related affairs. The Task Force is headed by the director of the MOJ’s Department of Information management who is assisted by the deputy director of the department. The Task Force is composed of section chiefs and related officials and is divided into three subgroups: the security prevention subgroup, the crisis handling subgroup, and the auditing subgroup. An executive task force is established in each of the MOJ’s subordinate organizations.
8. Principle of allocation of Information security responsibility
a. The Department of Information management is responsible for formulating security policy, plans, measures, technological regulations, and the study of security technology.
b. The various business departments are responsible for the study of security requirements of data and information systems, the control and protection in their use.
c. In executing various information operations, all are required to observe the “Key Points for Information Security Control of the Executive Yuan and Its Subordinate Agencies,” the “Regulations Governing the Executive Yuan’s and Its Subordinate Agencies’ Information Security Control,” the “Act for Protecting Computer-processed Personal Data” and other related regulations, including agreements the MOJ has signed with a third party.
d. The Department of Information management is responsible for coordination with other units on joint conduction of information security education and training.
e. In the MOJ, auditing is the responsibility of the Department of Information management and the Department of Government Employee Ethics . In its subordinate organizations, it shall be done by their respective information units and government employee ethics units. For it’s subordinate organizations , it shall be performed by the MOJ Department of Information management and the Department of Government employee Ethics in conjunction with business departments.
f. Evaluation of personnel security is the responsibility of government employee ethics units.
g. When a crisis or disaster arises in the MOJ’s information and networks systems due to sabotage or improper use, the Task Force shall take emergency measures as soon as possible in accordance with the MOJ’s “Plan for Business Continuity management”; the handling procedure shall be recorded for reference.
h. When a MOJ staff member violates the information security provisions, he or she shall be dealt with according to the “MOJ Penalty Standard for Staff Members.” If Article 2 of the Public Service Act is involved, the violator shall be dealt with in accordance with Article 19 of the Act. If he or she is suspected of violating the Criminal Code, the violator shall be referred to the judicial organization for investigation. If national compensation is involved, the responsibility shall be pursued in accordance with the National Compensation Act and other laws. A violator not belonging to MOJ shall also be pursued for criminal or civic code responsibility according to related laws.
9. Principle for categorization, classification, and evaluation of assets
In accordance the nature of operation, assets are divided into six categories: information asset, physical asset, software asset, service, written document, and personnel.
Assets are evaluated in accordance with confidentiality, integrity, and availability to reflect their value.
The class of a risk to an asset is evaluated in accordance with weakness, threat, and impact. After classification and evaluation, the asset is subjected to an appropriate degree of security control according to its value.
10. Class of unacceptable risks
After evaluation, assets are divided into different risk classes, and for those above the level unacceptable risk index, a “Risk Improvement Plan” shall be formulated as basis of supervision and control, and its execution shall be tracked to ensure thoroughness.
11. Applicability declaration
The MOJ will, in keeping with ISO27001 standards, demand a statement of applicability to document whether the control standards and measures are applicable and, if not, the causes for inapplicability. When the organizational structure, personnel, equipment, and physical environment change, the management review board shall redefine the applicability of control measures.