Information Security Policy of the Railway Bureau, Ministry of Transportation and Communications

I. Information and Communication Security Policy

To facilitate the smooth operation of the business of the Railway Bureau of the Ministry of Transportation and Communications (hereinafter referred to as "the Bureau"), prevent unauthorized access, use, control, leakage, damage, alteration, destruction, or other infringements upon information or information and communication systems, and to ensure their Confidentiality, Integrity, and Availability, this Policy is hereby established and shall be observed by all staff members:

(I) Implement the Information Security Management System (ISMS).

(II) Effectively manage information assets, continuously conduct risk assessments, and implement appropriate protective measures.

(III) Protect information and information and communication systems from unauthorized access to maintain their confidentiality.

(IV) Prevent unauthorized modification to protect the integrity of information and information and communication systems.

(V) Ensure that authorized users have access to information and information and communication systems when needed.

(VI) Comply with laws and regulations.

(VII) Assess the impact of various human-made or natural disasters and establish recovery plans for critical information and communication systems to ensure the continuous operation of core businesses.

(VIII) Implement information and communication security education and training, as well as awareness programs for new employees, to enhance the security awareness of all staff.

(IX) Implement management of external service providers to ensure the security of information and communication services.

(X) Implement auditing and management review processes to ensure the continuous improvement of the Information Security Management System.

II. Information and Communication Security Objectives:

(I) Quantitative Objectives:

1. Number of reviews of the Information and Communication Security Policy ≧ 1 time/year.
2. Information and communication security education and training—Dedicated information and communication security personnel: Each person shall receive at least 12 hours of professional cyber security courses or competency training per year.
3. Information and communication security education and training—Information personnel other than dedicated information and communication security personnell (including system administrators in business units and staff in information units).
   1. Each person shall receive at least 3 hours of professional information and communication security courses or competency training per year.
   2. Each person shall receive at least 3 hours of general information and communication security education and training per year.
4. Information and communication security education and training—General users and supervisors: Each person shall receive at least 3 hours of general cyber security education and training per year.
5. Email opening rate in social engineering drills < 4%/drill; Click rate of email attachments in social engineering drills < 2%/drill.
6. Updates to the information asset inventory ≧ 1 item/year; Conduct risk assessment and establish risk treatment plans ≧ 1 time/year.
7. Incidents of unauthorized access or changes to account/permission management in (A) Applications and (B) Databases of information and communication systems ≦ 2 cases/year.
8. Incidents of unauthorized access or changes to the host (Operating System) of information and communication systems ≦ 2 times/year.
9. Incidents affecting system operations due to certificate anomalies or expiration ≦ 2 times/year.
10. Incidents of unauthorized entry or removal of equipment or storage media ≦ 0 times/year.
11. Incidents where equipment components containing storage media were discarded or reused without verification, failing to ensure sensitive data or copyrighted software was removed or securely overwritten ≦ 0 cases/year.
12. Incidents of unannounced backup failures (host, information and communication system, network configuration) where action was not taken within 8 hours of discovery to resume normal backup operations ≦ 2 times/year.
13. Protection operations including "(1) Network architecture review, (2) Network malicious activity review, (3) User endpoint malicious activity review, (4) Server host malicious activity review, and (5) Directory server and firewall connection setting review" conducted once every 2 years.
14. Incidents where network equipment, hosts, or information and communication systems encounter abnormal failures leading to an inability to provide normal services ≦ 3 cases/year.
15. Incidents of unauthorized rules (policies) in firewalls ≦ 2 cases/year.
16. Security testing including "(1) Vulnerability Scanning and (2) Penetration Testing" conducted once every 2 years.
17. Incidents of unauthorized program version changes ≦ 2 cases/year.
18. Conduct information and communication security audits on information service procurement vendors ≧ 1 time/year.
19. The completion rate for notification, response, and recovery operations within the stipulated time after becoming aware of an information and communication security incident shall be 100%.
20. Availability of information and communication systems reaches 99.99% or above. (Downtime / Total operation time ≦ 0.01%).
21. Conduct review and drills of the Business Continuity Plan ≧ 1 time/year.
22. Conduct information and communication security internal audits for the Bureau ≧ 1 time/year; Conduct audits on the implementation of information and communication security maintenance plans for subordinate agencies ≧ 1 time/year.

(II) Qualitative Objectives:

1. Timely adjust information and communication security maintenance measures in response to changes in laws and technology to prevent unauthorized access, use, control, leakage, damage, alteration, destruction, or other infringements upon information and communication systems or information, thereby ensuring their confidentiality, integrity, and availability.
2. Achieve the requirements of the Information and Communication Security Responsibility Level and mitigate threats posed by cyber security risks.
3. Strengthen the selection, supervision, and management of outsourced vendors, and strictly review outsourcing contracts to ensure cyber security within supply chain relationships.
4. Enhance personnel's awareness of cyber security protection and effectively detect and prevent external attacks.
5. Implement a reward and penalty mechanism for personnel handling business involving information and communication security matters.
6. Promote cross-unit integration of information and communication security protection to achieve joint defense and intelligence sharing.