跳到主要內容區塊(英文)
Sitemap FAQs Contact Us Bilingual Glossary Forest Tourism Map
Visit the Official Website
Yilan Branch Hsinchu Branch Taichung Branch Nantou Branch Chiayi Branch Pingtung Branch Taitung Branch Hualien Branch Alishan Forest Railway and Cultural Heritage Office
Menu Button
:::
To skip this submenu, press [Enter]; to continue, press [Tab].
:::

Information Security Policy

Approved on July 25, 2023, Document No. 1121710528 (Version 3.0)

I. Purpose

The statutory duties of the Forestry and Nature Conservation Agency of the Ministry of Agriculture are to safeguard the integrity of important terrestrial ecosystems and biodiversity, strengthen nature conservation, and ensure the sustainable sharing of forest ecosystem services.

This policy is established to achieve the following operational and management objectives:

  1. Ensure the uninterrupted operation of information systems supporting core business functions, maintain the effectiveness of internal management mechanisms, and enhance the quality of information services provided to the public.
  2. Safeguard the confidentiality, integrity, and accuracy of all information collected, processed, and used by the Agency.
  3. Ensure that all procedures related to the collection, processing, and use of personal data comply with the requirements of the Personal Data Protection Act.

II. Scope of Application

  1. Management System
    This policy applies to both the information security management system and the personal data protection system.
  2. Organizational Units
    1. (1) Information Security Management System:
      This system applies to all personnel of the Agency’s divisions and offices, all affiliated agencies, business partners, contracted service providers, visitors, and all users of the Agency’s information services.
    2. (2) Personal Data Protection System:
      This system applies to all business operations handled or supervised by personnel of the Agency’s divisions and offices and affiliated agencies, as well as business partners and contracted service providers entrusted by the Agency to collect, process, or use personal data.

III. Policy Requirements

  1. Ensure full compliance with relevant laws and regulations, including the Cyber Security Management Act and its Enforcement Rules, Regulations on Classification of Cyber Security Responsibility Levels, Regulations on the Notification and Response of Cyber Security Incident, Cyber Security Information Sharing Regulations, Regulations on Rewards and Penalties for Cyber Security Matters for Personnel of Government Agencies, the Intellectual Property Protection Act, the Personal Data Protection Act, and information security guidelines and standards issued by the Executive Yuan and its subordinate agencies, as well as any agreements or contracts signed with external entities.
  2. The Agency has established a Cybersecurity Management Committee, and each affiliated agency has formed an Information Promotion and Security Task Force. These bodies are responsible for promoting planning, implementation, auditing, continuous improvement, and communication related to the management systems. They shall also conduct regular education, training, and awareness programs on information security and personal data protection to ensure that personnel understand their security responsibilities in performing their duties.
  3. Information assets handled by employees shall be used for official purposes and managed as public assets. Information shall be classified according to needs and assessed based on business risk to ensure effective control. Information systems shall be graded and protected in accordance with cybersecurity protection standards. Information-based operations shall include business continuity planning based on operational needs to ensure system availability.
  4. Access control shall be implemented for office premises and critical information equipment rooms, with continuous monitoring to maintain a secure environment.
  5. Information equipment and systems shall adopt enhanced technical protection measures. Access rights shall be granted based on job responsibilities and the principle of least privilege to prevent improper access, modification, damage, or cyberattacks.
  6. To prevent the impact of computer viruses and malicious software, only legally authorized systems and application software may be used. The use of any unauthorized software is strictly prohibited.
  7. Personal data protection shall meet the following requirements:
    1. (1) The collection, processing, and use of personal data must have a specific purpose and fall within the necessary scope for the Agency to perform its statutory duties, or be based on the consent of the data subject, ensuring the legality, accuracy, and appropriateness of data acquisition.
    2. (2) When outsourcing the collection, processing, or use of personal data to third-party organizations, proper management and protective measures must be implemented.
    3. (3) Procedures and channels shall be provided for data subjects to inquire about, request copies of, correct, supplement, delete, or request cessation of the use of their personal data, and for filing complaints or appeals. Data subjects shall be notified promptly in the event of a personal data security incident.
    4. (4) A designated officer shall be appointed to handle matters related to personal data protection. Appropriate measures shall be taken to protect personal data during collection, processing, and use to prevent theft, alteration, damage, loss, or leakage.
  8. To ensure the effectiveness of the management systems, any violation of    relevant procedures or regulations shall be reviewed and handled in    accordance with applicable rules.

IV. Responsibility

  1. The Agency shall establish a management structure responsible for overseeing and promoting matters related to the management systems.
  2. The management level shall actively participate in and support the implementation of the management systems, and ensure this policy is carried out through appropriate standards and procedures.
  3. All personnel of the Agency, contracted service providers, and visitors shall comply with this policy.
  4. All personnel of the Agency and contracted service providers have the responsibility to report information security incidents or vulnerabilities through appropriate reporting mechanisms.
  5. Any act that compromises information security or personal data protection shall be subject to civil, criminal, or administrative liabilities depending on the severity of the violation, and may also be handled in accordance with relevant Agency regulations.

V. Implementation and Amendment

This policy was implemented upon approval by the Director General following review by the Cybersecurity Management Committee. The same procedures shall apply to any amendments.

Visit counts:11,587
Last Update Date:2026-03-10