Today:2012/05/17 Last Updated:2012/05/07 Last Count:27318 ::: ChineseAcademePDAHome
Pintunghsien
  Advanced
:::
Service Regions
About Us
History
Director
Organization
Tax Work Calendar
Office Hours
Environment
Transportation Guide
Other Travel Resources
Culture& Heritage
Useful Website
Related Information About Pingtung County
Domestic Tax Bureau
Foreign Tax Bureau
Information for Foreigners
Bilingual Dictionary of Finance
FAQ
LINK
EMail
Activity Photos
sitemap
*
 
*
*
Home > Security
*
:::* 友善列印* 字級大小
s* m* l*
*
security
National Tax Administration, Southern Taiwan Province Information Safety Policy
Amended on: 9 August 2006
* Purpose
In order to strengthen the information security management in National Tax Administration of Southern Taiwan Province (NTAS), ensure the safety of tax data, systems and facilities, and provide reliable information service, composing this information security policy.
* Basis
 
"The Information Security Management Practices of Ministry of Finance and Affiliated Organizations (Institutions)" is promulgated by the Ministry of Finance on 24 June 2002 under Decree No. 91895856.
* Definition of Information Security
 
The information security is applying the management procedure and the protection technology to ensure the safety of data collecting, processing, transferring, storing, and communicating. While executing information works, it should also ensure the safety of related information systems, including participated software, facilities, files, storage media, and every kinds of report made by printer.
* Objective of Information Security
 
  1. Ensuring the confidentiality and privacy of tax data, and preventing them from unauthorized access.
    The number of unauthorized access should not exceed 0 times.
  2. Ensuring the availability , integrity and non-repudiation of information assets.
    The number of service halt due to information security events should not exceed 3 times semi-annually, and not longer than 12 hours each time.
  3. Ensuring the efficiency and continuity of information service operation.
    Every half year, performing “Information Service Operation Continuity Plan ” rehearsal at least once, and performing all the scenarios within two years.
  4. Ensuring the information security awareness for every staff.
    Each person should take at least 4 hours information security awareness or training.
  5. Ensuring the regulation compliance of information security measure.
    Performing internal audit at least once every half year, if auditing affiliated institution in random basis, all of them should be audited within 2 years.
* Extent of Information Security
 
  1. Information security responsibility and separation of duty.
  2. Human resource management and information security awareness and training.
  3. Information system security management.
  4. Network security management.
  5. Access control management.
  6. Information system acquisition, development and maintenance.
  7. Information asset management.
  8. Physical and environmental security management.
  9. Business continuity management.
  10. Information security audit.
  11. Information security incident management.
* Organization of Information Security
 
  1. Establishing "Information Security Task Force, ISTF", the deputy commissioner serves as convener, members of ISTF are appointed by every division and office. The responsibility of ISTF is composing and reviewing this policy regularly, coordinating and discussing information security plan and resource allocation.
  2. There are "Information Security Task Group, ISTG" and "Information Security Audit Group, ISAG" under the ISTF. The ISTG handles the related assistance work of ISTF, and is convened by the Information Management Division. ISAG is in charge of information security internal audit.
* Principle of Information Security Delegation
 
  1. Discussion of information security policy, plan, measure, technical specification, research of security technology, implementation and assessment are held by the Data Gathering & Electronic Data Processing Division.
  2. While executing information work, should comply with “Tax Collection Act”, “Computer Data Processing Act”, other related regulations and every procedure composed by NTAS.
  3. Technical information security training is held by the Data Gathering & Electronic Data Processing Division, and the business related information security training is held by the Government Ethics Office and associated division and office.
  4. The discussion, control, management and protection of security requirement for data and information systems are taken responsibility by business units.
  5. The Data Gathering & Electronic Data Processing Division and the Government Ethics Office are in charge of information security internal audit.
  6. The personnel security assessment is held by the Government Ethics Office.
  7. When the information and network systems of NATS are destroyed and improperly used, which cause serious damage should be mitigated by following the “Information Security Emergency Response Procedure”. ISTG should take countermeasure as soon as possible, and keep the audit trail.
  8. When personnel of NTAS violate the information security regulation, he/she should be charged according to the "Ministry of Finance Tax Affairs Personnel Rewards and Punishment Table". If someone who violates the "Official Disciplinary Punishment Act", should be charged by this law 19th stipulation; if the suspect who offends the "Criminal Law", should give transfers the judicial organ to investigate; if someone involves the national compensation event, should be charged by the "National Compensation Act" and other correlation law for investigating the correspondent responsibility. When non-NTAS personnel violate the information security regulation, also should be charged by the correlation legal rule to investigate the individual’s legal responsibility.
* Information Asset Assessment
 
  1. Categorization:
    According to the characteristics of information works, divide the assets into 6 categories, including electronic information assets, physical assets, software assets, services, documentation and people.
  2. Grade:
    According to the confidentiality, integrality and availability of all kinds of assets evaluates its value.
  3. Assessment:
    Considering the asset's own vulnerability, related threat and impact, assess the risk level, and then apply the appropriate measure on it.
* Risk Appetite
 
After risk assessment, assets are divided into different risk levels. When those falls into “unacceptable risk level”, we should compose the related risk countermeasure plan to mitigate the impact and keep track of it.
* Statement of Applicability
 
According to ISO27001: 2005 standard requires the statement of applicability as output, it is necessary to enumerate information assets whether applicable to the control measure of this standard in written way, and record the reason of non-applicability. When organization framework, people, facilities or physical environment change, ISTF should review this statement of applicability.
 
*
top
 
*
* Address:No55, Beising St. Pingtung City, Pingtung County 90008,Taiwan(R.O.C)
TEL:+886-8-7311166• Fax:+886-8-7381133
Copyright c National Tax Administration of Southern Taiwan Province,Ministry of Finance
•View with IE、FireFox or Google Chrome. Best Resolution 1024*768 Pixels.
Private policy | Information Security Policy | copyright