| |
 |
| Information Security and Emergency Response Plan (Safe management) |
|
|
 |
|
| |
 |
I. Basis of the Plan |
| |
 |
 |
The new information network linking to various institutions outside the administrative building, constructed by this Government, in coping with the increasingly developing data communication and network technology, has increased to a great extent the potentials for pilfering and tempering of information. The Plan is enacted both in viewing of the all too apparent threat to the safety of the personnel, equipment and data inflicted by frequent earthquakes in recent years, and in coordination with the “The Regulations Governing Information Security Management of the Executive Yuan and Organizations under the Executive Yuan” promulgated by the Executive Yuan, and in reference to the contents of the Supporting Security Plan for the Facility Room previously implemented by the Sector. |
|
 |
|
II. Objects |
| |
|
|
To ensure the safety of the personnel, equipments and information of the Sector. |
|
|
To take preventive measures against any accidental or sabotage events from occurring. |
|
|
To carry out timely remedy and minimize the declined information service quality. |
|
|
|
III. Scope |
| |
|
|
Personnel, equipment and the information of various application systems of this the Sector. |
|
|
Stationed personnel and installed equipments from and by other institutions under City Government. |
|
|
Other equipments provided by the Sector for various institutions and the citizens. |
|
|
|
IV. Regulations on Information Security |
| |
|
|
Security measures and maintenance should be taken for the computer equipment and information confidentiality of this Division. Their superintendants or person responsible should take the responsibility of supervision within their own authority and duties, and may set forth and announce managing regulations in regard to their internal personnel, resources and information according to their business features. They should also take necessary auditing measures to strengthen the information security |
|
|
The network of this Government should be equipped with firewall to reinforce the security protection, preventing hacking from outside; related functions should be updated or adjusted from time to time as required by changes of the environment. |
|
|
Identification and confidentiality measures should be set up in the most effective manner available for the input, process, transmission and storage of the information, including identification code, password and encryption and decryption. |
|
|
The issuance of the identification code and password to relevant persons should be processed by dedicated person responsible. On the position transfer and change of personnel, his/her access to various resources should be revoked immediately in order to eliminate any possible chance of hacking. Short-term and temporary identification codes and passwords may be issued to manufacturers for equipment maintenance, but should be revoked upon completion. |
|
|
Information resides in key operating systems, software applications and other related files should be made in backups and stored separately. The backup of the files that need long-term retention or are critical should be kept separately in fireproof and shockproof equipments. |
|
|
All computer programs and their design, testing, production, use and maintenance should be strictly controlled. Ratified programs may not be altered without prior permission; any necessary alternation should be made only after approval. |
|
|
Self-testing should be enhanced on the server systems and the mainframe in the network; access transparency of the local network should be heeded; unnecessary linkages by visitors should be closed to avoid hacking. Users of PC and other equipments should also conduct frequent check to guard against theft of confidential information. |
|
|
Abide by Copyright Act. Use of software of unknown source is forbidden, to prevent infection of virus |
|
|
The Division should hold irregularly seminars or trainings on network security, depending on actual need. |
|
|
Any violation of the information security-related regulations is subject to penalties according to its severity. |
|
|
|
V. Accident Prevention |
| |
|
|
The information facility in the units of this Division should be managed by dedicated persons designated by the superintendent of each of the units. Computers should be used with care, without heavy load and hitting; only quality tools are allowed for repairing and maintenance of the parts. Special cautions should be paid to power supply to prevent any hazard caused by defective products or power overload. |
|
|
The stationing, installation and removal of equipment in the facility room should be carried out pursuant to the relevant provisions of ISO9002 for Quality System. Regular inspection should be made on power supply, UPS and fireproof equipment; persons who contact these facilities should use care. |
|
|
The Division should deploy access control system in its facility rooms and offices; any irrelevant person may not be allowed in the facility rooms or control room, Computer room and office premises should install access control system. No access to the machine or main control room should be allowed to irrelevant persons. Off-hour restriction should be imposed on office premises from irrelevant persons to prevent sabotage and accidents. The unit superintendents should enhance the education on the awareness of office security. Make active approach and inquiry to any strange visitor, watch for any abnormal carryings, and set limits to important equipments just in case. |
|
|
Objects like printouts, instruments and materials, and tapes should be put aside tidily, and be locked when necessary to guard against theft. |
|
|
No stockpiling of cartoons or flammables should be allowed in the machine room or office premises. Care should be taken when handling such objects and be kept away from power supply. |
|
|
|
VI. Emergency Response |
| |
|
|
A. Responses to natural disasters
(1) Response to fire:
1. The Halon anti-fire system installed in the facility room should be turned off firsthand once being activated depending on the urgency of the situation), to stop the spraying foam from damaging the equipments. When a fire is inextinguishable, the fire system is manually activated to put the fire out using sprayed foam. In case of a large, wide-stretching fire, the system should be activated to extinguish it. Education and trainings in regard to the use of the fire equipment should be held so that the operators are all skillful. Firefighting educational trainings should be provided for all operators frequently enough to familiarize them with the skills.
2. When sensing a fire, it is necessary to locate the cause of the fire as soon as possible and shut down the power supply; manage to remove the objects on fire or put out the flame using fire extinguishers. Upon sensing a fire, first turn off main power supply, followed by locating the cause, then remove any burning objects or put out the fire with a fire extinguisher. Unless absolutely necessary, avoid spraying the extinguisher directly onto the computer equipments.
3. Quickly remove any flammable objects, related equipments and media, Report to your superior and ask for support.
4. Each business unit should formulate a manual operating procedure for all staff members to follow in the events of computer crashing or fire breakout in the machine room.
(2) Response to earthquake:
1. In case of strong earthquake, seek shelter by following earthquake surviving rules, and effect the emergency shutoff immediately upon releasing of emergency before evacuating to a safe place.
2. The on-duty persons in facility rooms should inspect all the equipments immediately after the earthquake, special attention should be paid to the power line, and record the findings in the facility operation log, and, resolve any abnormalities or report for repairing.
(3) Other disasters:
Take responsive measures appropriate to the situation firstly, and report up. |
|
|
B. Response to sabotage
(1) Personal intrusion:
1. Where the facility is equipped with access control, it is necessary to question any intruding stranger for intention before giving direction to his/her desired site.
2. In the event of intrusion with unkind intention, it is necessary to try to pretend answering and find time to report to one’s superior for calling the building residing guard to come to handle.
(2) Network intrusion
1. Backup should be made at any time for the critical information on the main computer in each unit. On finding intrusion by hacking, it is necessary to report, immediately, to one’s superintendant while separating the main computer from others, followed by executing the examination and recovery. After the event, review and improvement should be made in time, with treatment reported by stipulated regulations.
2. The Division should appoint network security monitors to employ related network auditing software to monitor the use of the network irregularly. When an intrusion by hacking is suspected, the monitor should report to the unit’s superintendant immediately, and may employ related software to monitor, trace and check, and to counter-attack, for instance, break the linkage, when required, and inform the main computer being illegally accessed of the intrusion for it to take responses. After the event, the treatment should be recorded in the facility room log and reported by stipulated regulations.
(3) Hazardous objects:
Keep highly alert to gasoline bomb, strong acid, suspected explosives, or objects smelling of gunpowder or sounding clock ticking. DO NOT pry open or remove it; evacuate related persons and report to authority (civil servant ethics, stationed police squad at the Government or the City Police Bureau). |
|
|
|
VII. Situation Reporting |
| |
|
|
In event of situation, please report to the superintendant of the unit without delay, or call at the following numbers depending on the situation:
Facility room: 3373633 or City Government main line for 2772
Planning and Design Sector: 3373627 / 3373628
Web Service Sector: 3373630 / 3373629
Equipment Management Sector: 3373632 / 3373631
Office of Civil Service Ethics, Department of Budget, Accounting and Statistics: 3314767 / 3373616
Police Squad stationed at the Government: 3373757 / 3373758
City Government Police Bureau: 110
|
|
|
|
VIII. Performance appraisal |
| |
|
|
Every person should process pursuant to the regulations of this plan to ensure of the work of information security; violation of any of the regulations is subject to disposal appropriate to the situation.
|
|
|
|
IX. Supplementary Provisions |
| |
|
|
This plan becomes effective after approval. Unstated matter, if any, may be supplemented by official letters. |
|
|
|
|