Promulgated  by  Executive  Yuan  on  
September  15,  1999.

I.  Purpose  
1.  The  Executive  Yuan  has  promulgated  these  Directions  to  enhance  agencies’  information  security  management;  establish  a  safe  and  reliable  electronic  government;  ensure  the  security  of  information,  systems,  equipment  and  the  Internet;  and  protect  public  rights.  

II.  General  Provisions  
2.  Agencies  mentioned  in  these  Directions  refer  to  subordinate  ministries,  commissions,  councils,  banks,  directorates-general,  offices,  administrations,  museums,  Taiwan  Provincial  Government,  and  Taiwan  Provincial  Consultative  Council  and  its  subordinate  agencies  (institutions).  
3.  Agencies  should  conduct  information  security  risk  assessments  to  establish  the  required  security  standards  for  various  information  operations,  in  accordance  with  relevant  laws  and  regulations  and  in  consideration  of  administration  goals.  Agencies  should  adopt  appropriate  and  sufficient  information  security  measures  to  ensure  the  security  of  agency  information  during  collection,  handling,  transmission,  storage  and  distribution.  
4.  The  appropriate  and  sufficient  information  security  measures  mentioned  in  these  Directions  should  take  into  consideration  the  overall  importance  and  value  of  various  information  assets;  inappropriate  utilization;  leakage,  alteration  and  damage  of  agency  information  assets  due  to  human  error,  deliberation,  natural  disasters  or  other  risks;  and  the  degree  of  impact  on  or  damage  to  agency  functions.  The  adopted  management,  operational  and  technical  security  measures  should  match  the  value  and  cost  efficiency  of  information  assets.  
5.  Agencies  should  promulgate  the  implementation  of  information  security  plans  in  accordance  with  the  following  matters,  and  evaluate  implementation  performance  regularly:  
(1)  Promulgation  of  information  security  policy.  
(2)  Management  framework  for  information  security.  
(3)  Personnel  management,  and  information  security  education  and  training.  
(4)  Computer  systems  security  management.  
(5)  Internet  security  management.  
(6)  System  access  control  management.  
(7)  System  development  and  maintenance  of  security  management.  
(8)  Security  management  of  information  assets.  
(9)  Physical  and  environmental  security  management.  
(10)  Management  of  sustainable  operation  plans  for  agency  functions.  
(11)  Other  information  security  management  matters.  
6.  The  information  security  policies  mentioned  in  these  Directions  should  refer  to  operational  directions,  measures,  standards,  and  codes  of  conduct  promulgated  for  achieving  information  security  management  goals.  

III.  Establishment  of  Information  Security  Policy  
7.  Agencies  should  promulgate  information  security  policies  in  accordance  with  actual  functions,  and  request  compliance  from  their  personnel,  public  or  private  institutions  connected  via  the  Internet,  and  information  service  providers  via  written  communications,  e-mail  or  other  methods.  
8.  Information  security  policies  promulgated  by  agencies  should  be  reassessed  at  least  once  a  year  in  consideration  of  the  latest  developments  in  government  regulations,  technologies  and  functions,  and  to  ensure  the  effectiveness  of  information  security  operations.  

IV.  Organization  and  Accountability  
9.  Agencies  should  allocate  roles  and  responsibilities  to  relevant  departments  and  personnel  in  accordance  with  the  following  directions  for  labor  division:  
(1)  The  discussion,  establishment  and  assessment  of  directions  for  information  security  policies,  plans  and  technologies  should  be  conducted  by  the  information  technology  department.  
(2)  The  department  in  charge  of  this  function  should  be  responsible  for  meeting  requirements  regarding  the  discussion,  usage  management  and  security  protection  for  information  and  information  systems.  
(3)  The  civil  service  ethics  department  and  related  departments  should  be  jointly  responsible  for  maintaining  information  confidentiality,  and  auditing  the  utilization  and  management  of  information.  
If  organization  has  no  delegated  information  department  or  civil  service  ethics  departments,  the  agency  head  should  appoint  the  appropriate  department  and  personnel  to  carry  out  the  above  duties  for  agencies  .  
An  agency  head  may  adjust  organization  division  directions  prescribed  in  Paragraph  1  due  to  special  nature  of  that  agency’s  functions.  
10.  Agencies  should  conduct  information  security  audits  on  the  information  operations  of  subordinate  agencies  (institutions)  on  a  regular  or  irregular  basis.  
Agencies’  information  department  should  conduct  external  audit  operations  on  subordinate  agencies  (institutions)  jointly  with  the  civil  service  ethics  department  or  auditing  department.  
11.  Agencies  should  appoint  a  deputy  head  or  senior  supervisors  to  be  responsible  for  the  coordination  and  promotion  of  information  security  management  matters.  
Agencies  may  establish  an  inter-ministerial  promotion  task  force  for  information  security  with  regard  to  the  need  to  coordinate  and  discuss  the  overall  planning  of  information  security  policies,  plans,  resource  allocation  and  other  matters.  
The  department  appointed  by  the  information  department  or  agency  head  should  be  responsible  for  support  operations  of  the  information  security  task  force  mentioned  in  the  preceding  paragraph.  
12.  Agencies  should  appoint  appropriate  personnel  to  be  responsible  for  matters  related  to  information  security  with  regard  to  information  security  management  needs.  

V.  Personnel  Management  and  Information  Security  Education  and  Training  
13.  Agencies  should  conduct  a  security  assessment  for  information  related  duties  and  tasks,  and  assess  the  suitability  of  personnel  during  the  employment  process  and  when  assigning  duties  and  tasks.  Evaluations  may  be  conducted  necessarily.  
14.  Agencies  should  conduct  regular  information  security  management  education,  training  and  promotion,  based  on  management  needs,  functions  and  information,  to  establish  the  information  security  awareness  of  personnel.  
15.  Agencies  should  enhance  training  for  information  security  management  personnel  in  order  to  improve  their  information  security  management  capabilities.  
Scholars,  experts  or  professional  agencies  (institutions)  may  be  invited  to  provide  consulting  services  to  agencies.  
16.  Agency  personnel  responsible  for  the  management,  maintenance,  design  and  operation  of  important  information  systems  should  organize  accountability,  and  establish  a  balance  mechanism,  implement  personnel  rotations,  and  develop  a  manpower  support  system  with  regard  to  agency  requirements.  
17.  Agency  heads  and  function  supervisors  at  all  levels  should  be  responsible  for  supervising  the  security  of  information  operations  conducted  by  agency  personnel  to  prevent  illegal  and  inappropriate  actions.  

VI.  Computer  Systems  Security  Management  
18.  Agencies  should  propose  information  security  needs  when  outsourcing  information  functions.  Information  security  responsibilities  and  confidentiality  directions  for  suppliers  should  be  listed  clearly  and  included  in  contracts  for  suppliers  to  comply  with.  Suppliers  should  be  evaluated  on  a  regular  basis  
19.  Agencies  should  establish  a  control  system  for  system  modification  operations,  and  keep  records  for  later  reference  and  evaluation.  
20.  Agencies  should  duplicate  and  utilize  software,  and  establish  software  utilization  management  systems  in  accordance  with  relevant  laws  and  regulations  or  contract  regulations.  
21.  Agencies  should  adopt  necessary  preventive  and  protective  measures  in  advance  to  detect  and  prevent  computer  viruses  and  other  malicious  software,  in  order  to  ensure  normal  operation  of  information  systems.  

VII.  Internet  Security  Management  
22.  Agencies  should  assess  possible  security  risks  when  transmitting  information  or  conducting  transactions  via  public  networks,  to  ensure  that  security  requirements,  including  the  completeness  of  data  transmitted,  confidentiality,  identity  authentication  and  non-repudiation,  are  met.  Agencies  should  also  draft  appropriate  security  control  measures  for  data  transmission,  dial-up  lines,  Internet  lines  and  equipment,  external  connection  interfaces,  and  routers.  
23.  Agencies  should  carefully  concern  while  open  information  systems  for  external  connection  operations  of  the  importance  and  value  of  data  and  systems,  and  adopt  data  encryption,  identity  authentication,  electronic  signatures,  firewalls,  security  vulnerability  detection,  and  other  technologies  or  measures  at  various  security  levels  to  prevent  hacking,  damage,  alteration,  deletion  and  unauthorized  access  to  data  and  systems.  
24.  Agency  websites  connected  to  an  external  network  should  be  equipped  with  a  firewall  and  other  necessary  security  equipment  to  control  data  transmission  and  resource  access  between  external  parties  and  the  agency  intranet.  
25.  When  opening  up  information  systems  to  external  connection  operations,  agencies  should  ask  external  parties  to  access  data  via  a  proxy  server  to  prevent  these  parties  from  entering  the  information  system  or  database  directly  when  accessing  data.  
26.  Agencies  should  implement  a  data  security  rating  assessment  system  when  using  the  Internet  and  global  information  networks  to  publish  and  distribute  information.  Confidential,  sensitive  and  private  information  and  documents  which  may  not  be  used  without  proper  consent  may  not  be  published  on  the  Internet.  
Security  protection  measures  should  be  enhanced  for  websites  with  personal  data  and  files,  to  prevent  private  information  from  being  stolen  and  used  inappropriately  or  illegally.  
27.  Agencies  should  promulgate  e-mail  usage  regulations.  Confidential  data  and  documents  may  not  be  transmitted  via  e-mail  or  other  electronic  methods.  
Agencies  should  use  encryption,  electronic  signatures  or  other  security  technologies  for  sensitive,  confidential  data  and  documents  that  need  to  be  transmitted  with  regard  to  agency  needs.  
An  agency  may  use  security  technologies,  such  as  encryption  or  electronic  signatures  approved  by  the  competent  agency,  for  confidential  data  and  documents  transmitted  via  e-mail  or  other  electronic  methods  due  to  special  nature  of  that  agency’s  functions.  
28.  Agencies  should  procure  information  software  and  hardware  in  accordance  with  national  standards  or  government  information  security  directions  promulgated  by  the  competent  agency,  and  propose  information  security  requirements  to  be  included  in  the  procurement  specifications.  
Agencies  should  utilize  encryption  applications  approved  by  the  competent  agency  when  developing  and  using  encryption  technologies.  
Agencies  should  request  manufacturers  to  produce  an  export  permit  or  relevant  authorization  documents  when  purchasing  encryption  applications  manufactured  overseas,  to  ensure  the  security  of  these  products  and  avoid  the  purchase  of  products  with  key  escrow  or  key  recovery  function.  

VIII.  System  Access  Control  Management  
29.  Agencies  should  promulgate  system  access  policies  and  authorization  directions,  and  inform  staff  and  users  about  the  relevant  authority  and  responsibilities  via  written  communication,  e-mail  or  other  methods.  
30.  Agencies  should  grant  necessary  system  access  authority  to  staff  at  different  levels  in  accordance  with  information  security  policies  with  this  access  authority  limited  to  those  necessary  for  performing  statutory  duties.  Staff  granted  with  the  highest  level  of  system  administration  authority,  and  designated  staff  responsible  for  important  technologies  and  operational  control  should  be  assessed  carefully.  
31.  Agencies  should  terminate  information  and  resource  access  authority  for  staff  members  who  have  resigned  or  are  on  leave,  and  include  this  as  a  mandatory  procedure  in  the  resignation  and  leave  application  process.  
The  access  authority  for  agency  personnel  whose  functions  have  been  revised  or  transferred  should  be  adjusted  before  the  stipulated  deadline  and  in  accordance  with  the  directions  for  system  access  authorization.  
32.  Agencies  should  establish  a  user  registration  administration  system  to  enhance  the  management  of  user  passwords  for  access,  and  request  users  to  update  passwords  regularly.  An  agency  should  determine  the  password  update  cycle,  which  should  not  exceed  a  six-month  period,  with  regard  to  the  operating  system  and  security  management  needs.  
Agencies  should  create  a  list  of  personnel  with  special  access  authority  in  order  to  enhance  security  control,  and  shorten  their  password  update  cycles.  
33.  When  opening  up  information  systems  for  external  connection  operations,  external  parties  should  sign  contracts  or  agreements  beforehand  that  prescribe  directions,  standards  and  procedures  for  information  security,  and  responsibilities  to  be  complied  with.  
34.  Agencies  should  enhance  security  control  and  create  a  list  of  system  service  provider  personnel  who  conduct  system  maintenance  by  remote  log-in,  in  order  to  monitor  them  with  relevant  security  and  confidentiality  responsibilities.  
35.  Appropriate  and  sufficient  security  control  measures  should  be  adopted  for  the  filing  of  important  agency  information,  inner  or  outer  of  the  agency,  to  prevent  such  information  from  being  stolen,  modified,  sold,  leaked  and  duplicated  improperly.  
36.  Agencies  should  establish  system  audit  plan  and  an  information  security  audit  system.  Information  security  audits  should  be  conducted  on  a  regular  or  irregular  basis;  deletion  and  alteration  of  audit  records  stored  in  systems  should  be  prohibited.
 
IX.  System  Development  and  Maintenance  of  Security  Management  
37.  Agencies  should  take  information  security  requirements  into  consideration  during  the  initial  phase  of  the  system’s  life  cycle  when  developing  systems  independently  or  outsourcing  system  development.  Security  control  should  be  established  for  the  maintenance,  update,  online  implementation,  and  version  control  to  prevent  improper  software,  trapdoors  and  computer  viruses  from  damaging  the  system’s  security.  
38.  Agencies  should  prescribe  standards  and  restrictions  on  the  scope  of  systems  and  data  that  suppliers’  software/hardware  system  development  and  maintenance  personnel  come  in  contact  with,  and  strictly  prohibit  the  issuance  of  long-term  system  identification  and  access  passwords.  
Agencies  may  issue  short-term  and  temporary  system  identification  and  access  passwords  for  suppliers,  based  on  actual  operational  needs.  However,  access  authority  should  be  terminated  immediately  upon  completion  of  duties.  
39.  Suppliers  should  only  begin  the  construction  and  maintenance  of  important  software  and  hardware  for  outsourced  projects  under  the  supervision  and  accompaniment  of  agency  personnel.  

X.  Planning  of  Sustainable  Function  Operations  
40.  Agencies  should  promulgate  a  sustainable  operation  plan  for  agency  functions,  assess  the  impact  of  man-made  and  natural  disasters  on  normal  agency  operations,  establish  emergency  response  and  recovery  procedures,  prescribe  the  responsibilities  of  relevant  personnel,  conduct  drills,  and  adjust  and  update  plans  regularly.  
41.  Agencies  should  establish  an  emergency  management  system  for  information  security  incidents.  Emergency  security  incidents  should  be  managed  in  accordance  with  the  prescribed  procedures  and  reported  to  the  competent  department  or  personnel  immediately.  Response  measures  should  be  adopted,  and  prosecution,  police  and  investigative  department  should  be  contacted  to  assist  investigations.  
42.  Agencies  should  establish  and  differentiate  data  security  ratings  in  accordance  with  relevant  laws  and  regulations,  and  adopt  appropriate  and  sufficient  information  security  measures.  

XI.  Others  
43.  Agencies  should  promulgate  proper  physical  and  environmental  security  management  measures  for  equipment  installation,  the  surrounding  environment,  and  personnel  access  control.  

XII.  Supplementary  Provisions  
44.  An  agency  may  prescribe  relevant  directions  separately  due  to  special  nature  of  that  agency’s  functions.  
45.  Municipal  city  or  county  (city)  governments  which  have  not  promulgated  directions  for  information  security  management  may  use  these  Directions.