Information technology plays a vital role in the business systems of Taiwan Railway Corporation,Ltd. (hereinafter referred to as the Corporation) such as: the office automation system, the business information system and the personnel and salary system, etc. Information resources form an important part of the assets of the Corporation, and therefore, shall be protected properly.

In order to ensure normal operation of all businesses of the Corporation, non-stop operation of all information systems is necessary. Because of the wide use of the Internet, information systems of the Corporation must be connected with outside information systems. As a result, new management issues, challenges and responsibilities appear. Potential risks do exist in the processing of information by information systems of the Corporation and information generated by office software packages. Therefore, we shall tighten management measures in order to avoid adverse influences on businesses of the Corporation caused by human or external factors. So, the establishment and execution of the information security mechanism of the Corporation is an urgent task.

Information security refers to the continuous use of various kinds of information. In establishing the information security and control system, priority shall be given to the protection of information and information systems. The establishment of an effective information security and control mechanism needs supports from the higher level of the Corporation and all colleagues, as well as the preparation of, and the adherence to, all operation specifications. Information security policies include the following important items:

• 1. Establish ways to develop, maintain, and operate our information security management system;
• 2. Decide on the objectives of information security;
• 3. Establish organizations responsible for information security and determine their responsibilities;
• 4. Decide on the principles for executing information security measures.

We shall carry out information security trainings of related personnel and have them acquire a complete knowledge of the confidentiality, integrity and availability of information assets, and protection measures, with the aim of ensuring the implementation of the policy. This policy includes: purposes, objectives, statements, application scope, organizations and responsibilities, implementation modes and principles, etc.

Purposes

Information security management aims at protecting information from internal or external, deliberate or accidental threats. The Corporation operates public transportation, which is closely related to the livelihood of the people and economic development. It is very important to ensure the completeness and availability of information, and therefore, the implementation of this policy is necessary. Purposes of information security policies of the Corporation are as follows:

• 1. Demonstrate the resolve and commitment of the Corporation to provide a safe operation environment;
• 2. Serve as the guidelines of the Corporation on carrying out the program of computerized governments and developing application programs of information systems;
• 3. Determine the basic methods for assessing information security acts, in order to ensure that resources are effectively applied in information security acts;
• 4. Offer basic structure requirements of information systems and network design and relevant purchase specifications;
• 5. Serve as the basis of the information security manual of the Corporation;
• 6. The guidelines of using information systems of the Corporation. We shall carry out information security trainings of all employees to avoid anyone violating the Corporation’s rules by pretending not to know the information security policies;
• 7. Serve as the guidelines for examining internal units and personal of the Corporation;
• 8. Serve as the basis for addressing legal and contractual requirements.

Statements

Information forms part of the assets of the Corporation. Long-lasting operation depends on the integrity and availability of information. Adherence to information security rules can protect information from unauthorized application, revision, disclosure and damage, whether these behavior are deliberate or accidental.Protection of information assets is one of the basic responsibilities of all employees of the Corporation:

• 1. Protection of information assets is one of the basic responsibilities of all employees of the Corporation:
• 2. Adhere to security rules and procedures in the information security management system of the Corporation;
• 3. All employees shall take responsibilities for the protection of information assets.

In brief, “Everyone is duty-bound to safeguard information security”.