1.1 It is to serve as the reference basis for the relevant management guidelines and operating procedures of the Information Security Management System (hereinafter referred to as ISMS) of this Academy. At the same time, it is to continue the use of the management model of PDCA cycle to support continuous improvement set by the International Standards Organization (ISO), integrate and strengthen the cyber security management system, establish an institutionalized, documented and systematized management mechanism, and continue to supervise and review management performance in order to implement the concept of cyber security management and continuity of business operations as well as to achieve the following goals:
1.1.1 Establish, implement and maintain cyber security management policies.
1.1.2 Introduce ISMS in full force.
1.1.3 Train information manpower for security professional skills in the field of information and communication.
1.1.4 Strengthen the cyber security environment and adaptability of cyber security.
1.1.5 Achieve the measures and indicators of cyber security management policies. 1.2 Ensure the confidentiality, integrity and availability of the information assets of this Academy, and meet the requirements of relevant laws and regulations to protect them from internal and external deliberate or accidental threats so as to protect the rights and interests of the stakeholders of this Academy.
Scope of Application
2.1 Applicable within the scope of ISMS covered by this Academy.
2.2 Cyber security management covers 14 management items in order to avoid improper use, leakage, tampering, and destruction of information due to human negligence, deliberate acts or natural disasters and other factors, which may bring various possible risks and harm to this Academy. The management matters are as follows:
2.2.1 Formulation and evaluation of cyber security management policies.
2.2.2 Responsibilities and division of labor of cyber security organizations.
2.2.3 Security of human resource.
2.2.4 Information assets management.
2.2.5 Access control
2.2.6 Password control
2.2.7 Physical and environmental security
2.2.8 Operational safety
2.2.9 Communication security
2.2.10 Acquisition, development and maintenance of information systems
2.2.11 Supplier relationship
2.2.12 Cyber security incident management
2.2.13 Cyber security aspects of operational continuity management
Security Management Policy
In order to promote the implementation and execution, effective operation, supervision and management, and continuity of the ISMS of this Academy, and to maintain the confidentiality, integrity and availability of the important information systems of this Academy, it is hereby issued the cyber security management policy. This Policy aims to provide colleagues with a clear guiding principle in their daily work. All colleagues are obliged to actively participate in the promotion of cyber security management policies to ensure the safety in maintenance of all staff’s data, information systems, equipment and networks. It is also hoped that all colleagues can understand, implement and maintain the policy in order to achieve the goal of continuous operation of information.
3.1 Implement cyber security and strengthen service quality
The ISMS is to be implemented and executed by all colleagues. All information operations and related measures should ensure the confidentiality, integrity and availability of business information, and avoid risks such as leakage, destruction or loss due to external threats or internal personnel’s proper management. Select appropriate protection measures, keep risks down to acceptable levels in order to continue to monitor, review and audit the work of information security management system, strengthen service quality, and improve service standards.
3.2 Strengthen cyber security training to ensure continuous operation
Supervise all colleagues in implementing the work of cyber security management, continue to carry out appropriate cyber security education and training every year, establish a concept of “Everyone is responsible for cyber security”, urge colleagues to understand the importance of cyber security and to encourage them to comply with cyber safety regulations, by means of which to advance the cyber security intelligence and emergency response capabilities, and reduce the risks of cyber security so to achieve the goal of continuous operation.
3.3 Prepare well for emergency response and swiftly recover from disasters
Formulate emergency response plans and disaster recovery plans for important information assets and critical businesses, and regularly implement various emergency response procedures drills to ensure that when information system failures or major disaster and emergency events occur, the system can be swiftly recovered so to ensure that critical businesses will continue to operate and losses will be minimized.
Goals of Cyber Security Management
The cyber security goals that this Academy is required to achieve to implement ISMS shall be conducted in accordance with the relevant procedural instructions of the cyber security management goals.
Cyber Security Responsibilities
5.1 The management level of this Academy shall be responsible for establishing and reviewing policies.
5.2 Cyber Security Managers implement this Policy through appropriate standards and procedures.
5.3 All personnel and contracted outsourcing suppliers must follow the procedures to maintain cyber security management policies.
5.4 All personnel are responsible for reporting and handling security incidents and any identified weaknesses.
5.5 Any deliberate violation of cyber security shall be subject to relevant regulations or legal actions.
Information Security Management System (ISMS)
6.1 General requirements
In response to the requirements of the ISO 27001:2013 on information security management standard, it is hereby formulated this Policy to serve as the regulations for the construction and development, implementation and operation, monitoring and review as well as continuous improvement of the overall ISMS, and established cyber security management policies and management goals based on the business activities and risks of this Academy.
6.2 Identification of the organization overview
6.2.1 This Academy shall determine internal and external issues in relation to the operational purpose of this Academy and that will affect the expected results of ISMS, identify the stakeholders in relation to the services provided by this Academy and the needs and goals of these stakeholders for this Academy, and objectively determine the scope of ISMS of this Academy.
6.2.2 It is to establish the operational procedures for the organization overview identification and management in order to systematically identify the core business of this Academy and the stakeholders in relation to the core business, as well as the needs and goals of these stakeholders for the core business of this Academy, determine if the needs and expectation cannot be met, what would be the level of impact on this Academy, and assess the scope of ISMS introduction and verification.
6.3 ISMS construction and development
6.3.1 Establish ISMS
22.214.171.124 Brief description of the process
This Academy establishes ISMS in accordance with the ISO 27001:2013 standard. The process is briefly explained as follows:
126.96.36.199.1 The “Cyber Security Management Committee” of this Academy was established in accordance with the standard recommendations and the requirements of the competent authority.
188.8.131.52.2 This Academy aims at the whole organization as the scope of ISMS implementation, and there will be no difference due to the selected scope verification.
184.108.40.206.3 The “Cyber Security Management Policy” is issued to explain the cyber security management policy, management goals and implementation methods of this Academy.
220.127.116.11.4 Carry out risk assessment operations to discover the security weaknesses of assets and organizations and their threats and impacts, and evaluate their risk levels. After they are compiled into a “risk assessment report”, the “risk treatment plan” will be executed and tracked.
18.104.22.168.5 Set the scope of implementation of risk management based on the cyber security management policy and the results of risk assessment.
22.214.171.124.6 Select the cyber security control goals and measures suitable for implementation, and review and confirm their feasibility and effectiveness.
126.96.36.199.7 Record the selected security control goals, control measures, reasons for selection and other information in the “Statement of Applicability” document.
188.8.131.52.8 In order to implement cyber security and continuous improvement, this Academy will review the aforementioned steps in a timely manner based on actual needs and make necessary changes and revisions.
184.108.40.206 All colleagues of this Academy and personnel dispatched by outsourced suppliers must follow the cyber security management policy and cyber security goals of this Academy, and abide by the requirements of the ISMS operating procedures, management regulations, and relevant laws and regulations. Anyone who violates intentionally or negligently shall be imposed disciplinary action and punishment in accordance with the personnel regulations or outsourcing contract depending upon the circumstances of the violation and the impact caused.
220.127.116.11 If an outsourcing supplier has a need for re-outsourcing when performing the outsourcing business of this Academy, it shall assess the cyber security risks in relation to the re-outsourced business, and the outsourcing supplier shall be required to conduct appropriate supervision and management on the re- outsourced supplier in accordance with the relevant regulations such as ISMS.
18.104.22.168 In the process of internal and external project management, various cyber security requirements in relation to the project shall be clearly specified and stated, and the results of the risk assessment shall be used to determine and implement cyber security control measures so to ensure confidentiality, integrity and availability of the internal and external project information, reduce the risk of sensitive information (including personal data) leakage and violation of laws and regulations.
22.214.171.124 The requirements and criteria for internal and external communication in relation to ISMS shall be determined and established. The content must include: what to communicate, when to communicate, who to communicate with, who should be the one to communicate, and which communication process should be implemented to ensure that various cyber security businesses of ISMS will be appropriately communicated and conveyed internally so to facilitate the promotion and management of ISMS.
126.96.36.199 The management procedures for portable information equipment (including smart mobile devices) and portable storage media shall be formulated, and colleagues shall be required to implement such procedures. Conduct regular risk assessments targeting on portable information equipment (including smart mobile devices) and portable storage media, select appropriate control measures based on the results of the risk assessment, and perform regular operational checks on colleagues to ensure that the risks of using portable information equipment and storage media are monitored and reduce the risk of leakage of confidential information.
6.3.2 ISMS implementation and operation
188.8.131.52 A risk treatment plan shall be formulated, and appropriate management measures, responsibilities and priorities shall be systematically identified and stated in order to manage cyber security risks.
184.108.40.206 Implement the control measures selected in the risk treatment plan to prevent and control various risks, including the implementation of established management plans so to achieve the set cyber security goals.
220.127.116.11 The measures, indicators and usage methods on the effectiveness of security control measures shall be drawn up to determine the degree of the selected control measures so to achieve the required degree of cyber security goals.
18.104.22.168 For training and cognitive programs required for personnel, please refer to section 7.2.2 hereof.
22.214.171.124 All operations shall be performed in accordance with the operation specifications and procedures, and the status of the execution of each operation shall be inspected and managed from time to time.
126.96.36.199 It is necessary to regularly measure the implementation status of each plan toward its goals, and adjust relevant control measures and goals in a timely manner based on the measurement results.
188.8.131.52 For the management of various resources required during execution, please refer to Section 7.2 hereof.
184.108.40.206 Unit supervisors shall speed up the detection of various security incidents and respond with treatment by means of irregular inspection tours, internal and external audits, or report and suggestions made by unit personnel.
6.3.3 ISMS monitor, control and review
220.127.116.11 This Academy adopts the following monitoring methods to ensure that the scope of ISMS coverage will be safe and sound:
18.104.22.168.1 Personnel shall go on regular and irregular inspection tours to check whether the various equipment and environment are in normal condition.
22.214.171.124.2 Use cameras to monitor the entry and exit conditions of people in various areas and record the video as evidence.
126.96.36.199.3 Various monitoring indicators shall be set, regularly checked and recorded to assist in judging safety incidents, prevent and deal with such incidents immediately.
188.8.131.52.4 Unit supervisors shall pay attention to the reported incidents or the execution status of the personnel at any time, and then decide the corresponding control measures. If necessary, the personnel may be transferred for a short time to avoid system failure or man-made sabotage.
184.108.40.206.5 Cooperate in regular internal audits to confirm whether various safety measures and control procedures are implemented as expected.
220.127.116.11.6 Pay attention to cyber security incidents at this Academy at all times, carefully evaluate the causes and consequences of the incidents, and cooperate in the implementation of corrective and preventive measures so to improve the overall cyber security environment and reduce the probability of cyber security incidents.
18.104.22.168.7 Management level shall use management review meetings or internal meetings to discuss possible security vulnerabilities and decide on solutions.
22.214.171.124 Regularly review the effectiveness of ISMS in management review meetings, and consider safety audits, incidents, effectiveness measurements, and suggestions and feedback from the stakeholders.
126.96.36.199 Review the cyber security risk, residual risk and acceptable risk level at management review meetings, and consider the changes in the organization, technology, unit operation goals and procedures, identified threats and external events (including laws and regulations, contractual obligations and social environment) Variety.
188.8.131.52 Perform internal audit every year to determine whether it is implemented in accordance with the operation process and whether it achieves the expected function.
184.108.40.206 Convene at least one management review meeting a year to perform formal ISMS review so to ensure that the scope is appropriate and the various improvement measures of the ISMS process have been identified and implemented.
220.127.116.11 The cyber security maintenance plan shall be revised in a timely manner based on the results of the monitoring and review so to meet the cyber security policy, cyber security goals and various cyber security requirements.
18.104.22.168 All activities and events that have an impact on the effectiveness or performance of the ISMS must be recorded.
6.3.4 Continuous improvement of ISMS
his Academy shall regularly carry out the following tasks:
22.214.171.124 Use the results of risk assessment and internal and external audits to improve the overall cyber security environment.
126.96.36.199 Take appropriate corrective and preventive measures, and adopt lessons learned from the safety experience of other units or internal incidents.
188.8.131.52 Communicate with relevant institutions on the results and various measures and solicit opinions.
184.108.40.206 Modify ISMS if necessary.
220.127.116.11 Ensure that all modification measures achieve the expected goals.
6.4 Required documents
6.4.1 General requirements
The ISMS documentation of this Academy shall include the following items:
18.104.22.168 A written statement of cyber security management policy and security management goals.
22.214.171.124 ISMS application scope and various operating procedures
126.96.36.199 Risk assessment report
188.8.131.52 Risk treatment plan
184.108.40.206 Documents required by the organization to ensure effective planning, operation and control of the cyber security process
220.127.116.11 Records required by the ISO 27001 standard and by the superior authority
18.104.22.168 Statement of Applicability
6.4.2 Document control
Documents required by ISMS shall be protected and controlled. Records are a special type of document, which shall be controlled in accordance with the requirements set out in Section 6.4.3, and a documented procedure should be established to define the required controls in order to:
22.214.171.124 Approve the appropriateness of the document before its issuance.
126.96.36.199 When necessary, review and update and re-approve documents.
188.8.131.52 Ensure that the changes in the document and the latest revision status have been identified.
184.108.40.206 Ensure that relevant versions of applicable documents are available at the place of use.
220.127.116.11 Ensure that documents are easy to read and easy to identify.
18.104.22.168 Ensure that documents can be accessed at any time when needed, and that documents can be handled in compliance with document control regulations when documents are transferred, stored and destroyed.
22.214.171.124 Ensure that the original foreign documents have been identified.
126.96.36.199 Ensure proper control of document distribution.
188.8.131.52 Prevent nullified (invalid) documents from being misused. When nullified documents need to be retained for any purpose, they shall be properly identified.
6.4.3 Record control
184.108.40.206 In order to ensure that the ISMS meets the requirements of this Academy and provide evidence of effective operation, records of the various operating procedures of ISMS shall be established, maintained and controlled, and relevant laws, regulations and contract requirements shall be taken into consideration.
220.127.116.11 Records shall be clear and easy to read, easy to identify and retrieve. For the identification, storage, protection, retrieval, retention period and invalidation of records, documented procedures shall be established to define the required controls.
18.104.22.168 Records shall be properly preserved
22.214.171.124 The required records and their scope shall be determined by the management process. During such a process, major decisions shall be recorded and take into account the purpose of use of records and the risks associated with lack of such records.
7.1 Management commitment
In order for the ISMS to be promoted smoothly, the management shall implement the following items:
7.1.1 Establish cyber security management policies, cyber security goals and plans.
7.1.2 Establish the “Cyber Security Management Committee” to clarify and document the roles and responsibilities of cyber security.
7.1.3 Regularly hold ISMS management review meetings.
7.1.4 Determine the acceptable risk level after risk assessment.
7.1.5 Perform regular internal audits of ISMS.
7.1.6 Provide sufficient resources to ensure the establishment, implementation of operations, monitoring and review, and continuous improvement of ISMS.
7.1.7 Each unit supervisor shall try their best to use various internal public meetings or gatherings to publicize to all personnel the importance of meeting the cyber security goals, laws and regulations, and the need for continuous improvement.
7.2 Resource management
7.2.1 Resource provision
To ensure that the ISMS is implemented wit
hout hindrance, the necessary resources for the following tasks shall be determined and provided:
126.96.36.199 Provide manpower, resources and equipment required for the establishment and maintenance of ISMS.
188.8.131.52 Provide necessary assistance when implementing ISMS.
184.108.40.206 Ensure that various safety procedures can meet operational needs.
220.127.116.11 Identify and put forward the requirements of laws and regulations and the safety obligations specified in the contracts.
18.104.22.168 Correctly apply all implemented control measures to maintain proper safety.
22.214.171.124 When necessary, conduct a review and make appropriate responses to the review results.
126.96.36.199 When necessary, improve the operational process of ISMS to ensure its effectiveness.
7.2.2 Training, cognition and ability
In order to ensure that all colleagues are capable to perform the required work and meet various safety requirements, various channels shall be used to assist colleagues in attending education and training, including the following methods:
188.8.131.52 Provide various skills training to meet such demand
184.108.40.206 Evaluate the effectiveness of the training provided by means of opinion (degree of satisfaction) surveys, tests, submission of feedback reports and acquisition of certificates.
220.127.116.11 Ensure that colleagues recognize the relevance and importance of the activities they are engaged in, and how to contribute to the achievement of the cyber security goals.
18.104.22.168 Records of education and training, skills, experience and qualification evaluations shall be kept. Please refer to Section 6.4.3 for requirements of record preservation.
7.3 Effective communication
The requirements and criteria for internal and external communication in relation to the Information Security Management System (ISMS) shall be determined and established. The content must include: what to communicate, when to communicate, who to communicate with, who should be the one to communicate, and which communication process should be implemented. Ensure proper internal communication and conveyance of various cyber security businesses of the Information Security Management System (ISMS) so to facilitate the promotion and management of the Information Security Management System (ISMS).
Perform internal audits regularly every year to ensure whether the ISMS’s various control goals, control measures, operational processes and procedures all:
8.1 Meet the requirements of ISO 27001 and related laws and regulations.
8.2 Meet the cyber security goals and other related requirements set by this Academy.
8.3 Implement and maintain ISMS effectively.
8.4 Meet the expectations of the superior authority.
Review by ISMS Management
This Academy shall convene at least one management review meeting every year to review the current ISMS of this Academy so to ensure that the applicability, appropriateness and effectiveness of the relevant procedures are in line with the needs of this Academy, and to evaluate the timing of improvement of relevant policies and goals, or needs for other changes. Relevant documents and records on the review results shall be kept for future reference.
9.2 Input of review (scope of management review)
Management review shall include at least the following items:
9.2.1 Follow-up status of previous management review resolutions.
9.2.2 Changes in external and internal issues that may affect the ISMS.
9.2.3 The performance feedback of cyber security includes the following trends:
22.214.171.124 Implementation status of non-conformities and corrective measures
126.96.36.199 Results of monitoring and measurement
188.8.131.52 Results of internal audits
184.108.40.206 Realization of cyber security goals
9.2.4 Feedback from stakeholders
9.2.5 Results of the risk assessment and the status of the risk treatment plan
9.2.6 Opportunities for continuous improvement
9.3 Output of review
9.3.1 The output of the management review shall include decisions in relation to opportunities of continuous improvements and requirements of ISMS changes.
9.3.2 The output recommendations of the management review shall include but not limited to any decisions and measures set out in the following matters:
220.127.116.11 Improvement of ISMS effectiveness
18.104.22.168 Update of risk assessment and risk treatment plan
22.214.171.124 When necessary, modify the procedures and controls that affect the cyber security in order to respond to internal or external events that may impact the ISMS, including changes in the following items:
126.96.36.199.1 Various operational requirements
188.8.131.52.2 Various safety requirements
184.108.40.206.3 Affecting the existing operational requirements of the operational process
220.127.116.11.4 Requirements of laws or regulations
18.104.22.168.5 Various contractual obligations
22.214.171.124.6 Risk level and/or risk acceptance criteria
126.96.36.199 Resource requirements
188.8.131.52 Improvement in how to measure the effectiveness of control measures
9.3.3 The organization shall preserve documented information and evidence for results of management review
Improvement of ISMS
10.1 Corrective measures
This Academy adopts appropriate control measures to reduce non-conformities arising from the establishment, operation and use of ISMS in order to prevent recurrence. The content of corrective measures shall include the following items:
10.1.1 Identify items that do not meet cyber security requirements
10.1.2 Determine the cause of each non-conformity
10.1.3 Evaluate the needs of various corrective measures to ensure that the non-conformities do not recur.
10.1.4 Determine and implement necessary corrective measures
10.1.5 It is necessary to record the results of corrective actions taken. Please refer to Section 6.4.3 for requirements of record preservation.
10.1.6 Review the corrective measures taken
10.2 Precautionary measures
This Academy shall take appropriate control measures to prevent and reduce the chances of potential non-conformities, and precautionary measures should be able to prevent the possible impact of potential problems.
10.2.1 Identify potential non-conformities and their causes
10.2.2 Assess the need for precautionary measures to prevent the occurrence of non-conformities.
10.2.3 Determine and implement the necessary precautionary measures.
10.2.4 Record the results of the measures taken. Please refer to Section 6.4.3 for requirements of record preservation.
10.2.5 Review the precautionary measures taken
10.3 Continuous improvement
Through the cyber security management policy, security goals, internal and external cyber security audit results, incident monitoring analysis, corrective and precautionary measures, as well as management review of this Academy, the cyber security personnel of the unit are to be responsible for the monitoring of all risks or non-conformities, and tracking the improvement situation made by the person in charge of relevant businesses so as to continuously improve the effectiveness of ISMS.
11.1 This Policy shall be evaluated and reviewed at least once a year to reflect the latest developments of cyber security requirements, government laws and regulations, changes in the external network environment, and cyber security technology of this Academy so to ensure that it is effective in maintaining operations and providing appropriate services.
11.2 This Policy shall be reviewed immediately in case of major changes so to ensure its appropriateness and effectiveness. When necessary, the relevant units and outsourcing suppliers shall be notified to facilitate joint compliance.
Release for implementation
This Policy shall be announced on the World Wide Web of this Academy after being approved by the Chief Cyber Security Officer, and the same shall prevail when this Policy is revised.