Information Security Policy

Approved by the Forestry Planning Group
4 August 2016, Document Number 1051710472

The Forestry and Nature Conservation Agency of the Council of Agriculture of the Executive Yuan is responsible for protecting the forest ecosystem and conserving natural resources. This policy is established in order to achieve the below listed operational and management goals:
1. Continuous, uninterrupted operation of the information-related work of core functions; maintenance of the effectiveness of internal systems management; and increased quality of service to the public.
2. Assurance of the confidentiality, completeness, and accuracy of all data that is collected, processed, and utilized.
3. Conformance of all business processes involving the collection, processing, or utilization of personal information to the requirements of the Personal Information Protection Act.

1. Management System - This policy is applicable to data security management systems and personal data protection systems.
2. Organizational Units
(i) Information security management system – Such includes the full staff of every component group (office) of this bureau and all its subordinate organs and units with which it has business dealings, external suppliers of goods and services, visitors, and users of the bureau's data services.
(ii) Personal data protection system - Such includes all business under the responsibility of or partially handled by the personnel of any of this bureau's component groups (offices) or its subordinate organs and any unit with which the above have business dealings or any external supplier of goods or services entrusted by this bureau withe the collection, processing, or utilization of personal data.

1. Adhere to all relevant laws and regulations, such as intellectual property protection laws, Personal Information Protection Act, and all key points and regulations of data security management of the subordinate organs of the Executive Yuan, and also agreements and contracts with external units.
2. The bureau establishes a data security management committee, and each of the bureau's subsidiary organs establishes IT and secure data processing taskforces. The committee and these taskforces actively promote the planning, execution, auditing, continuous improvement, and coordinating of communication for relevant parts of the information management system. They also ensure that personnel are familiar with their responsibility for security in the fulfillment of their work by actively conducting educational training and outreach on data security and the protection of personal information.
3. Data assets in the possession of personnel for work purposes are held according to the principle of public ownership and public use. These data are categorized and prioritized according to expected functional needs and are assessed for risk with respect to the effective control of the data. Information systems should be evaluated and the adjustments may occur with the security control baselines.  A business continuity management strategy will be planned according to the goals of the information-centric tasks in order to ensure the continued usability of information-centric work.
4. With actual work environments and important data equipment rooms, implement entry and exit controls and are continuously monitored to preserve their security.
5. In order to protect systems from improper access, irregular activity, damage or cyber attack, strengthened defensive technology management of information equipment and systems by limiting access of data to the least amount required for fulfillment of duties. 
6. In order to guard against computer viruses or malware affecting work, the use of any unauthorized software other than the legally authorized systems and software applications is forbidden.
7. The protection of personal data must comply with the following requirements:
(i) In order to ensure the legality, accuracy and appropriateness of data obtained, collection, processing, or utilization of personal data must have a specially designated purpose and be necessary for completion of the statutory duties of this bureau, or else such collection, processing, or utilization of such data must be approved by the persons affected.
(ii) The authorization of third parties to collect, process, or utilize personal data must be carefully managed and incorporate proper protections.
(iii) Processes and channels for affected persons to check, make copies of, correct, supplement, delete, or stop the utilization of their personal data and also to make complaints or appeals must be provided. When personal data security incidents occur, notification must be proactively provided.
(iv) Certain personnel are designated as specialists to carry out personal data protection tasks. Appropriate protection measures for the collection, processing, and provision for utilization of personal data are adopted. The theft of, tampering with, destruction, loss, and leakage of personal data are prevented.
8. In order to ensure the effectiveness of the management system, all who violate the specified procedures will be evaluated against and disciplined according to the relevant regulations.

1. This bureau establishes a management system to plan out as a whole the promotion of relevant items.
2. Management-level personnel must actively participate in and support the management system and implement this policy through appropriate standards and procedures.
3. The full staff of this bureau, external suppliers of goods and services, and visitors must all comply with this policy.
4. Both the full staff of this bureau and external suppliers of goods and services are responsible for reporting data security incidents or vulnerabilities via appropriate reporting mechanisms.
5. The civil, criminal, and administrative responsibility for any act that endangers data security or the protection of personal data shall be pursued according to the severity of the incident, or the act shall be evaluated and penalized according to the relevant regulations of this bureau.

This policy has been reviewed and approved by the data security management committee and will go into effect upon review and approval by the director general of the bureau.  Any amendment shall go into effect by the same process.