Cyber Security Policy of the Fiscal Information Agency and Regional National Taxation Bureaus(Version 2.5)
1.1 “Cyber Security Management Act” and Related Regulations
1.2 “Cyber Security Policy and Organization Management Guidelines of the Ministry of Finance and Its Subordinate Agencies” promulgated by the Ministry of Finance
1.3 ISO27001 and CNS27001 Standards
The main idea of this cyber security policy is “Cyber Security is Everyone's Responsibility”. Colleagues shall be familiar with and follow cyber security regulations and the “Basic Knowledge of Information Security of the Ministry of Finance and Its Subordinate Agencies”, and implement the security protection of the information and communication devices and systems to ensure the information security of the organization.
3.1 This policy is established to be the core guidance of the information security management system, for providing reliable information and communication services, assuring the confidentiality, integrity and availability of information, and complying with the “Cyber Security Management Act”, “Tax Collection Act”, “Regulations Governing the Use of Uniform Invoices”, “The Act Governing Local Tax Regulations”, “The Classified National Security Information Protection Act”, “Personal Data Protection Act” and other related regulations, to ensure the regularity, safety, and stability of the information and communication operations of the Fiscal Information Agency (including Service Support Division) and National Taxation Bureau of each region (the “Administrative Agencies”).
3.2 To effectively maintain the continuous operation of the administrative agencies effectively and reduce the risks associated with information and communication operations to achieve the objectives of “Implementing customer-oriented services and creating high quality lives” and “Optimizing resource allocation and improving the efficiency of tax administration”.
4.1 The scope of the information security management systems covers the information and communication operations of the administrative agencies.
4.2 This policy applies to colleagues of the administrative agencies (including full-time employees, contractors, technicians, maintenance workers, temporary personnel, and part-time employees), business-related agencies (organizations), vendors, service providers and third-party personnel.
5.1 Cyber Security Management Review Committee
The highest decision-making organization of the cyber security management of the administrative agencies; executing management review of general cybersecurity-related affairs.
5.2 Cyber Security Execution Team
Performing general asset risk assessment and risk management; revising and controlling the information security management system; performing business continuity management in information and communication operations.
5.3 Cyber Security Audit Team
Performing general cyber security audit.
5.4 Applicable personnel of this policy
Cooperating with the information security management system activities and abiding by relevant regulations.
6.1 Cyber Security
Refers to such effort to prevent information and communication system or information from unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and system.
Anything valuable to the organization, such as information, people, software, hardware, services, buildings, and protection facilities.
6.3 Cyber Security Management System
Information Security Management System (ISMS).
7. Implementation Guidelines
7.1.1 Consider relevant laws, regulations, and operational requirements, conduct asset risk assessments, confirm the security requirements of information and communication operations, establish standard operating procedures, adopt appropriate security control measures, to ensure asset security.
7.1.2 Establish a cyber security organization and determine the segregation of duties, to facilitate cyber security works.
7.1.3 Based on the roles and functions of personnel, establish an evaluation or assessment system, and conduct cyber security training as needed.
7.1.4 The provisions of asset access shall be based on business requirements and consider minimum permissions, segregation of duties and responsibilities, and independent review.
7.1.5 Establish cyber security incident management procedures to ensure a proper response, control and processing of incidents.
7.1.6 Develop a business continuity plan and conduct regular drills to ensure the continuity of information and communication operations.
7.1.7 According to the "Personal Data Protection Act", intellectual property rights, and relevant regulations, process and protect personal data and intellectual property rights prudently.
7.1.8 Conduct regular cybersecurity audits and review the implementation of the information security management system.
7.1.9 If colleagues of the administrative agencies violate this policy and the relevant cyber security regulations, they shall be dealt with the Reward and Punishment Regulations for Tax Officers of the Ministry of Finance or relevant regulations. Violations of relevant cyber security regulations by other personnel shall also be investigated for criminal responsibility following relevant laws and regulations.
7.2 Security Objectives
7.2.1 To maintain the continuity of information and communication operations of the administrative agencies to provide an integrated service across tax categories, agencies, and years.
7.2.2 To protect the assets related to the information and communication operation maintenance and management of the administrative agencies from improper or illegal use by human intent; to prevent the incursive and destructive behaviors by hackers and viruses.
7.2.3 To establish the information security management process and related standard operating procedures of the administrative agencies to avoid negligent behaviors and incidents, strengthen colleagues' cyber security awareness, and help to achieve the aim which collection of taxes and services could operate on a secure and integrated resource sharing platform.
7.3.1 This policy shall be evaluated at least once a year, or re-evaluated when there are major changes in the organization (such as organizational adjustments, major system changes) to comply with the relevant regulations, latest technologies, and business operations of the administrative agencies, and shall be appropriately revised.
7.3.2 This policy is approved by the Cyber Security Management Review Committee and implemented on the announcement day, and the applicable personnel of this policy are notified in writing, electronically or in other ways.