► Our information security policy is based on:
- The passing of the National Information and Communication Infrastructure Security Mechanism Plan on January 17, 2001 during the 2,718th cabinet meeting.
- The approval of the second amendment to the National Information and Communication Infrastructure Security Mechanism Plan on June 6, 2002.
- Resolutions made to implement the second stage of the plan by the seventh meeting of the works committee of the National Information and Communication Security Taskforce (NICST) on January 28, 2003.
- Resolutions made during the National Information and Communication Security Center (NICSC) Operations Conference on August 18, 2003.
► Introduction
- With the advent of the information society, many large companies, financial organizations, governmental agencies and military agencies have computerized their operations so as to cut costs for human, financial and material resources. A great amount of important information is saved in computers and transmitted through communications networks, and such data may involve content dealing with trade secrets, personal privacy and even national security. Thus, protecting computerized networks and maintaining system security has become one of the most pressing issues in recent government policy. In order to have a coordinated system and to strengthen the protection of information, the National Security Council formulated the National Information and Communication Infrastructure Security Mechanism Plan as per presidential directive in May of 2000. After approval by the president on August 30, it was forwarded to the National Information and Communications Initiative (NICI) committee of the Executive Yuan for planning and implementation.
- Since the plan dealt with the establishment of a national security mechanism, and in an effort to make the set deadline and achieve the presidential directive, the NICI committee began a series of 12 conferences with various ministries in September of 2000 to discuss related planning and operation, bringing about specific, feasible proposals. These proposals were then reported at an NICI committee meeting on December 29, 2000, receiving consensus and support from all present. On January 2, 2001, the proposal was given to the premier of the Executive Yuan, and after receiving approval, the information and communication security advisory system began operation in accordance with the existing administrative system in January of 2001.
- According to guidelines set for the plan, the National Information and Communication Security Taskforce (NICST) is under the control of the Executive Yuan with the premier and vice premier serving respectively as convener and co-convener. The convener of the NICI committee serves as the CEO. Furthermore, there are two deputy CEOs and 14 committee members. Staff operations are under the charge of the NICI committee. Also, the National Information and Communication Security Center (NICSC) was established within the NICST as a special committee, with the convener of the NICI committee serving as the convener for the NICSC. There are also two co-conveners (one from the National Security Council and the other being the head of the Data Management Processing Center, DGBAS, Executive Yuan).
- The plan states that each governmental agency must establish an Information and Communication Processing Unit as a task force in charge of managing items related to crisis prevention and security.
► Objectives
- The scope of information and communication security is vast. In an effort to have complete command in preventing emergencies such as destruction or improper use of our information and network system as well as to be able to quickly respond and return to normal operation in the shortest amount of time in the event of an incident, a security command mechanism has been established in accordance with guidelines stipulated by the NICST so as to provide the best guarantee of security.
► Tasks
- Security Operations: Collecting information related to the security of information and communication, training in security-related technology, setting system security levels, creating security measures and monitoring.
- Crisis Management: Creating crisis management procedures, identifying causes of incidents, confirming the scope of influence, evaluating damage, carrying out emergency response measures, processing incident-related reporting and implementing solutions.
- Auditing: Checking to make sure the above-mentioned tasks have been carried out.
► Reporting of and Response to Security Incidents (Procedure and Description of Operation)
- When a security incident occurs, according to the current website set up by the Crisis Notification Unit of the DGBAS, an Information and Communication Security Incident Report must be filled out within one hour and sent to the Crisis Notification Unit via the Internet, phone, fax or e-mail. Moreover, the Information and Communication Security Management Unit of the Council of Agriculture should be notified with the same report.
- The Communication Security Management Unit at the Taitung District Agricultural Research and Extension Station (TTDARES) decides whether or not it can resolve a security incident on its own. If not, we must notify the Crisis Notification Unit within one hour and request help from the Technical Service Unit to resolve the situation. If we are able to handle the situation on our own, it must be resolved within one day. The Crisis Notification Unit is to be notified on the management and resolution of the incident within two hours of resolving the problem so as to stop the alarm. Moreover, a copy of the same report is to be sent to the Information and Communication Security Management Unit of the Council of Agriculture for following up on how the incident was managed.
- After the Technical Service Unit has gone to aid the agency in question, it is to set up a database with the Information and Communication Security Management Unit. The Crisis Notification Unit is to be notified on the management and resolution of the incident within two hours of resolving the problem so as to stop the alarm. Moreover, a copy of the same report is to be sent to the Information and Communication Security Management Unit of the Council of Agriculture for following up on how the incident was managed.
► Notification System Framework and Contact List
- The Information and Communication Security Notification Contact Network of the Council of Agriculture includes a system framework and a contact list. At first, this was provided by the NICST. Later, the responsibilities of changes and updating were handed over to the Council of Agriculture’s Information and Communication Security Management Unit, which in turn reports them to the NICST.