This Directorate General's core operation is Cargo Clearance Automation System and its related operations. In order to protect security of these information assets (information assets include data, systems, equipments, and etc.) of this Directorate General's core operation from risks like being garbled, disclosed, destroyed, or lost due to exterior threaten or impropriate management and use of interior personnel, we redact Information Security Policy (ISP for short).
ISP is defined according to laws and regulations including "Executive Yuan and its subordinates Information Security Management Point", "Executive Yuan and its Subordinates Information Security Management Constraint", "Ministry of Finance and its Subordinates Information Security Management Principle", " Customs Administration, Ministry of Finance and its Subordinate Information Security Management Operation Regulation", "Customs Law", and "Data Protection Law" and considering customs clearance requirement.
This Directorate General's vision is: To provide convenient, efficient and safe customs clearance service.
IV. Information Security Policy
A. Essence of information security
Essence of information security is generally categorized into three categories:
To ensure all information assets provide instant and correct service and to fulfill requirement of user.
Categorizing information assets according to importance and providing proper protection to ensure integrity of information assets.
Data is properly classified into levels and is provided appropriate constraint and protection according to its classification.
According to the specialty and vision of this Directorate General's core operation, information security is to ensure availability, integrity, and confidentiality of Cargo Clearance Automation System and its related operation information assets.
To achieve the expectation and requirement of this Directorate General toward information security maintenance, this Directorate General will take this policy as a base, refer to organization development requirement, and consider risks of information assets to establish an integral, feasible, and effective Information Security Management System (ISMS as short) and provide best insurance to information security of this Directorate General.
To achieve the purpose above, this Directorate General classifies related policies into two categories: Quantificational and Qualitative.
1. Quantificational policy includes:
a. To ensure service availability of Cargo Clearance Automation System reaches above 99% a year.
b. Information security event happens less than three times every half year.
c. Once a "Q&A form" (Document No. 0154029) of Cargo Clearance Automation System is received by Department of Information Management, it should be finished within two working days and the targeted achievement rate is 94% a year.
d. To ensure related information security action or constraint is compliance with current laws and regulations (Verify it once every half year at least).
e. To maintain and test feasibility of enterprise everlasting management plan (Test it once every half year at least).
f. Properly provide information security related training to all personnel according to their job function and responsibility (Execute it once every half year at least).
g. To establish information assets risk evaluation process. Proceeding risk evaluation at least once a year.
2. Qualitative policy includes:
a. Enhancing internal control and preventing unauthorized access to ensure information assets being properly protected.
b. To properly protect confidentiality and integrity of information assets.
c. To ensure information not being revealed to unauthorized third party during transmitting process or neglectful behavior.
d. To ensure information security accident or suspicious security weakness is reported properly upward through report channel and investigated and handled properly.
ISP applies to every personnel (including employed-by-contract, work-study, and alternative-military-service) in this Directorate General, every Customs , contract-signed vendor, outsourced vendor and all related information assets.
VI. Responsibility Assignment
A. Every top management of Departments (Offices) in this Directorate General should join ISMS activities aggressively and support ISMS.
B. The Information and Communication Security Handling Unit of this Customs Administration and all Customs is responsible of maintenance and fulfillment of this Directorate General's information security. As to this unit's responsibility, please refer to the responsibility and procedure arrangement book of information security organization.
C. Every top management of Departments (Offices) in this Directorate General should fulfill the requirement of this policy through proper procedure.
D. Every personnel in this Directorate General, every Customs , contract-signed vendor, and outsourced vendor are responsible to follow this policy.
E. Above-mentioned workers are responsible to report information security accident or suspicious information security weakness through proper report channel when they found any.
VII. Risk Evaluation and Management
In order to achieve the vision of this organization and fulfill quantificational and qualitative policy objective, this Directorate General establishes risk evaluation and management procedure book to effectively manage risks that information assets face and reduce risks to acceptable range.
VIII. Compliance with Information Security Policy
A. Every personnel in this Directorate General, every Customs , contract-signed vendor, outsourced vendor who did not follow this policy or related information security regulation or excised any other behavior to endanger this Directorate General's information security will invoke proper punishment procedure or legal action. To whom that provides suggestion to improve information security regulation or technique will be rewarded properly when proved succeed.
B. Every personnel in this Directorate General is required to sign "Confidential Agreement on Customs Personnel Information Security Responsibility" and be award of all information accessed during working period in this Directorate General is asset belong to this Directorate General is and not allowed to be used on other unauthorized purpose.
IX. Redaction of Information Security Policy
This policy should be reappraised at least once a year to reflect up-to-date status of government regulation, technique and operation and to ensure effectiveness of information security practice.
Information Management Office
TEL：+886-3-3834265 ext 448