Information Security

1. Basis

1. Plan for Establishment of the Information and Communication Infrastructure Security Mechanism; passed in the 2718th Executive Yuan Meeting on January 17th 2001.
2. Plan for Establishment of the Information and Communication Infrastructure Security Mechanism; amended as directed by the Premier on June 6th 2002.
3. Information and Communication Security Second Stage Implementation Program; resolution passed in the Seventh Meeting of the National Information and Communication Security Taskforce on January 28th 2003.
4. Resolution made in the “ Conference for Establishment of the Information and Communication Response Center ” on August 18th 2003.

2. Foreword

Along with the arrival of the digital era, many daily operations of large corporations, financial institutions, government agencies, and military agencies have been computerized to minimize investments and maintenances in human, material, and financial resources. A substantial amount of information is now stored in computers or transmitted through computer and communication networks. These stored or transmitted data often involve commercial secrets, private information, and even highly confidential information regarding national security. Therefore, preventing computer network crimes and crisis, as well as maintaining the security of information systems, have become a pressing issue of government administrations. In view of which, to centrally reinforce the information warfare capabilities of our Nation, the National Security Council, under direction of the President, studied and submitted the Proposal for “ Establishment of the Information and Communication Infrastructure Security Mechanism ” in June 2000. This Proposal was approved by the President on August 30th and transferred to the NICI team, Executive Yuan, for planning and implementation.

Because this plan involves establishment of a national security mechanism, to maximize the time efficiency and achieve the President ’ s directives, the NICI team of the Executive Yuan called for twelve meetings from September 2000 to study the problem and plan implementation. This Plan was then proposed in the NICI, Executive Yuan, Meeting on December 29th 2000 and reached and received consensuses and supports from all committee members. On January 2nd 2001, this Plan was submitted to the Premier for approval; the Premier subsequently approved the Plan and the Information and Communication Security Reportage System began operation in June 2001.

According to the Plan, a National Information and Communication Security Taskforce (hereafter refers to as the Information and Communication Security Taskforce) is to be set up under the Executive Yuan, with a Chairperson acted by the Premier, a Vice Chairperson acted by the Vice Premier, an Executive Director acted by the Chairperson of the NICI team, two Deputy Executive Directors (one appointed by the National Security Council and one acted by the Director of the Data Management Processing Center, Directorate General of Budget, Accounting, and Statistics, Executive Yuan), 14 Information and Communication Security Task Force Committee members, and staffs served by NICI team members. Furthermore, a “ National Information and Communication Security Response Center (hereafter referred to as the Response Center) ” , a mission-oriented team, is to be set up under the National Information and Communication Security Taskforce, which is to be organized with a Chairperson acted by the Chairperson of the NICI, Executive Yuan, two Vice Chairpersons (one appointed by the National Security Council and one acted by the Director of the Data Management Processing Center, Directorate General of Budget, Accounting, and Statistics, Executive Yuan).

At the same time, this Plan mandates government agencies to set up their own regular and mission-oriented “ Information and communication Security Task Team ” to handle matters related to information security and crisis management. All subsidiary agencies and units of the Council should also set up their own “ Information and Communication Security Task Teams ” with reference to this operation handbook and other relevant guidelines to handle matters related to information security and crisis management internally, as well as laying out relevant team operation guidelines to ensure normal operations.

3. Objective

Since the subject of Information and Communication Security covers a wide scope, it is necessary to set up an Information and Communication Security Command Mechanism to quickly respond to emergencies, such as destruction or improper use of the Council ’ s information and networking systems and return the systems back to normal operation in the shortest time possible to prevent possible damages. Also, in coordination with regulations set by the National Information and Communication Security Taskforce, this Command Mechanism is carries out relevant responses to provide the best protection to information and communication security.

4. Tasks

1. Security Hazard Prevention: the Team is responsible for collecting information related to information and communication security, developing information and communication security technologies, evaluating the security level of the Council ’ s computer systems, setting up information and communication security measures, and executing information and communication security monitoring affairs.
2. Crisis Management: the team is responsible for planning crisis management procedures, investigating causes of the hazards, verifying the scope of effects and evaluating the losses, executing emergency responses, conducting emergency reports, and executing resolutions.
3. Audit: the Team is responsible for inspecting the above implementation related tasks to ensure that all relevant tasks are well executed.

5. Reporting Information and Communication Security Events and Executing Emergency responses (Procedure and Description)

1. When matters related to information and communication security occur in the Council and its subsidiary units, the report network, set up base on the current “ Crisis Report Sub-team (Directorate General of Budget, Accounting, and Statistics) ” , must fill out an “ Information and Communication Security Event Report Form ” and send the form through the network, telephone, fax, or e-mail to the “ Crisis Report Sub-team ” within one hour. Relevant agencies/units must also report the event to the “ Information and Communication Security Task Team ” of the Council with the “ Information and Communication Security Event Report Form ” .
2. The “ Information and Communication Security Task Team ” of the Council or related agencies/units will evaluate whether this matter can be resolved internally. If the matter can not be resolved internally, the team must report the event to the “ Crisis Report Sub-team ” within one hour and request assistance of the technology service team to solve the problem. If the matter can be resolved internally, the Team in the Council must resolve the problem within one day and report the status to the “ Crisis Report Sub-team ” within two hours after the problem is solved for case closure. The subsidiary agency/unit must simultaneously submit a photocopy of the report form to the Team for filing and further tracking.
3. After assisting the agency/unit to solve the information and communication security problems, the technology service team should enter relevant data into the Information and Communication Security Database of the Team and report the status to the Crisis Report Sub-team for case closure within two hours after the problems are solved. The subsidiary agency/unit must simultaneously submit a photocopy of the report form to the Team for filing.

6. Reportage System Structure and Contact List

The “ Information and Communication Security Report/Contact Network ” of the Council includes an Information and Communication Security Reportage System Structure and a Contact List. The initial structure is provided by the National Information and Communication Security Taskforce and follow-up changes and maintenances are carried out by information and communication security teams of subsidiary agencies/units of the Council. Changes in the structure and list are also required to be reported to the National Information and Communication Security Taskforce.