Local Tax Bureau , Changhua County

The information security policy (hereinafter referred to as the policy) is formulated to achieve information confidentiality, integrity, availability and legality, in order to improve tax service quality of Local Tax Bureau of Changhua County (hereinafter referred to as the Bureau), ensure safety of information, systems, equipment and network communications, and effectively reduce risks such as theft, improper use, disclosure, tampering, or destruction of information due to human neglect, intentional conduct or natural disasters.

• ISO/IEC 27001(Information technology — Security techniques — Information security management systems — Requirements)
• CNS 27001
• ISO/IEC 27002(Information technology — Security techniques — Code of practice for information security management)
• Requirements of information security management systems of the Executive Yuan and its subordinate agencies
• Code of practice for information security controls of the Executive Yuan and its subordinate agencies
• Information and Communications Security Development program
• Guidelines of information security management systems of the Ministry of Finance and its subordinate agencies (organizations)
• Cyber Security Management Act

• Confidentiality：Ensure that users can only access information after authorization.
• Integrity：Ensure completeness of information and accuracy of procedures.
• Availability：Ensure that information can be used only by authorized users when needed.
• Legality：Comply with relevant national laws and regulations.

Our information security management system applies to all of the Bureau’s businesses, including employees, external cooperating institutions, as well as manufacturers and guests that provide labor and services to the Bureau.

The information security promotion organizational structure is developed to coordinate planning, implementation, auditing and revisions of information security management matters in accordance with the “N-ISMS-2-01 Organizational Management Procedures for Security Management and Protecting Personal Data.”

• Profits: Improve completeness of taxation information and work efficiency.
• Anti-fraud: Maintain strong discipline and enhance risk management.
• Confidentiality: Ensure information confidentiality and avoid improper use.
• Business operations: Develop towards sustainable operation and reduce safety accidents.
• Implementation: Advanced proper planning and subsequent rigorous audits.
• Legal compliance: Strengthen legal advocacy and eliminate violations.

Relevant units and personnel shall set up related management provisions or implementation plans for matters listed below, and regularly evaluate the results (indicators). For implementation procedures, please refer to the “N-ISMS-2-02 Implementation Procedures for Security Management and Protecting Personal Data.”

1. All information security management provisions must comply with the relevant government laws and regulations (such as the Criminal Code of the Republic of China, The Classified National Security Information Protection Act, Patent Act, Trademark Act, Copyright Act, Personal Data Protection Act, and Cyber Security Management Act).
2. Relevant units and personnel shall be responsible for the establishment and promotion of the information security system.
3. Information security education and training shall be conducted on a regular basis to advocate on information security policies and related measurements.
4. Set up information hardware and software management mechanisms to coordinate resource allocation and usage.
5. Information security should be taken into account before establishing a new information system in order to prevent jeopardizing system security.
6. Set up physical and environmental security controls for computer rooms and conduct related maintenance on a regular basis.
7. Clearly regulate the right of access to information systems and network services to prevent unauthorized access.
8. Formulate an internal audit plan for information security and conduct internal audits on a regular basis.
9. Formulate the sustainable information security plan and conduct practical exercises to ensure sustainable business operations.
10. All personnel are responsible for maintaining information security in accordance with relevant information security management regulations.

• The policy is reviewed and recorded at least once a year to continuously improve its effectiveness and suitability in compliance with the relevant laws and regulations, as well as technical and operational requirements of the Bureau.
• The policy is implemented after its approval, and subsequent amendments and revisions will be submitted to the Information Security Management Review Committee for discussion before it is stipulated and announced.