Security Policy

Security Policy

Policy for Information Security Management of the Railway Bureau, Ministry of Transportat

1. Preface

In the current operating environment of the Railway Bureau, Ministry of Transportation and Communications (called as our Bureau in the following), information technology plays a very important role. Improvement of productivity, supplies of quick services, enhancement of management capacity and low operating costs – all these result from the employment of information technology. So information resources are our Bureau’s very important asset and thus need to be protected.

To maintain our Bureau’s normal operation, that the information system continues operating without stop is absolutely necessary. Owing to internet’s wide spread, our Bureau’s information environment can easily contact with outside world to improve speed and convenience of connection between us and the outside world. As a result, different levels of potential threat coming from stored and loading information with terminal server and internal handling and office automation (OA) software can happen at any time. New management issues, challenges, and responsibilities need to be thoroughly considered. The information system needs to be protected in order to avoid the occurrence of disasters threatening our Bureau’s operation. Therefore, a mechanism for information security should be established and implemented to prevent wiping out and to reduce risks – an urgent thing to do.

Information security is to put an emphasis on securing continuous use of information without barrier. Protecting information and its system is an action involving constructing information security control. An effective security control needs to have the following requirements: (1) promises of managing-level people; (2) all the staff’s continuous participation; (3) support from every kind of standard. Specifying and implementing an information security policy is the first priority. Items for specifying policy generally include the follows: (1) using standards of information and its system to make sure that a user can use information and its system safely, systematically and fairly; (2) maintaining standards and principles of dealing with problems in order to prevent loss and damage. Personnel related to policy education need to understand confidentiality, integrity and availability of information assets and other protection approaches, and then are expected to effectively coordinate with policy implementation. This policy content includes purposes, goals, announcements, range of suitable uses, arrangement of responsibilities, approaches of implementation and principles of implementation.

2. Goals of Information Security

2.1 Our Bureau’s goals of information security are as follows:

2.1.1 Retain continuous operation of information system.
2.1.2 Prevent attacks and damages from hackers and viruses.
2.1.3 Prevent others’ improper intention and illegal use.
2.1.4 Avoid incidents caused by human’s carelessness.
2.1.5 Maintain substantial environmental security.
2.1.6 Establish our Bureau’s entire staff’s basic ideas and correct behaviors of information security.

2.2. To fulfill the goals of information security fully, the following three points need to be achieved:

2.2.1 Confidentiality: get information legally.

About any information stored in our Bureau’s information system, information system during processing or transmission maintains confidentiality: In storing our Bureau’s information with a terminal server, there needs to be a defensive mechanism to prevent information being stolen during information transmission. In our Bureau’s internal information system, confidential information (including electronic file or paper) needs to be properly protected in order to prevent illegal storing and loading. Investigation records have detailed information of important activities and thus need to be well safeguarded. Only suitable personnel are authorized to do storing and loading processes.

2.2.2 Integrity: information or system maintained correct and complete.

About any information stored in our Bureau in information system, information system during processing or transmission needs to be protected in order to avoid improper alterations and to prevent information system from being improperly operated and invaded. In storing our Bureau’s information with terminal server, there needs to be a defensive mechanism to prevent information from improper alterations during information transmission. In our Bureau’s internal information system, confidential information needs to be properly protected in order to prevent illegal storing and loading. Rights, threats and vulnerability for storing and loading of information system need to be properly controlled in order to maintain integrity. 2.2.3 Availability: information or system needs to be loaded in real-time.

No error on continuous operation of information and system occurs. When a legal user asks to use any function of information system – for example, receiving/sending e-mails, OA application system, storing information with terminal server, he or she can get a response and a system service should be completed within a proper time period. This availability needs to coordinate with the two previous items – confidentiality and integrity in order to meet some goal. Take an example. Online information added with extra security and information concerning investigation records may delay the system’s responding time or cause interruptive service – such a situation cannot handle availability.

3. Purposes of Information Security Policy

The purposes of the policy can be described as follows.

3.1 Make an assessment of the basic estimation approaches of information security activities.
3.2 Make sure that resources are effectively employed in information security activities.
3.3 Be regarded as a long-term guiding course of action for our Bureau in development and employment of information system.
3.4 Be regarded as a basis for our Bureau’s information security booklets.
3.5 Be regarded as a foundation for any internal investigation.

4. Announcements:

Principle of reaching goals of using a simple and easy memorized meeting information security management is adopted to make announcements on our Bureau’s information security policy as follows.

Information is valuable and its security is even more precious.Everyone has responsibility for information security. Keeping secretes and preventing hackers starts from now; information safeguard starts from you and me.Do protect yourself and respect others.

5. Scopes of Suitable Uses

Scopes can be categorized into our Bureau’s relevant personnel related to business, computer system, material equipment, information record, and operating procedure. These categories are described as follows.

5.1 Personnel:

5.1.1 Our Bureau’s personnel: personnel of application system development and maintenance, those of system management, those owning information and equipments, those of safeguard, those of making information/documentary and normal users, including formal and informal members.
5.1.2 External personnel: contractors, business cooperation partners and visitors.

5.2 Computer System:

information room and every unit’s computer operating system, application system, development tools, packaged software, public-used program, etc.

5.3 Material Equipment:

Refers to offices, computer rooms, equipment related to information.

5.3.1 Offices & computer rooms: our Bureau’s information room, office area, and computer room equipments control
5.3.2 Equipment5.3.2.1 Computer: servers, portable computers, personal computers. Communication equipment: hubs, routers, internet switches, transmission circuits, modem, and fax machine. Magnetic storage media: removable hard disc drive, USB flash disk, magnetic tape machines, magnetic tapes, CD, DVD, public key infrastructure (PKI) and ID access cards. Others: non-stop electronic system, printers, photocopy machine, scanners, recorders, air conditioners, and access control equipments.

5.4 Information Record:

Our Bureau’s database, information files, system schedules, design documents, user’s operating manuals, contracts, educational training materials and system documents.

5.5 Operating Procedures:


5.5.1 Assessment on risks of information assets5.5.2 Document and record management5.5.3 Investigation on information security5.5.4 Management of Security check and information computer room5.5.5 Information security incident5.5.6 Information processing5.5.7 Management of information and data resources5.5.8 Management of personnel information security5.5.9 Management of business continuity 5.5.10 Management of application system5.5.11 Methods of website management

6. Organization, Position and Responsibility

6.1 Organization Diagram

Information Security Management System (ISMS)

6.2 Position and Responsibility

Explanations related to personnel and positions and responsibilities are described in the following table. About team members for operation of business continuity and their positions and responsibilities, please refer to “management of continuous operation.”

ons Personnel Working Functions and Duties Tenure of Office
Information security

Promoting team

Our Bureau’s the first-level director or above Examining and considering and promulgating and enforcing information security policy

Examining and considering external assessment results

Examining and considering risk assessment results and risk processing plans periodically

Reviewing and discussing information security reports and monitoring repair measurements

Reviewing managing level of ISMS periodically

Making a regular supervision of the conception of information security and control mechanism, according to information security meeting reports.

During in-service period
Information security

Executive secretary

Director of information room of our Bureau Collecting every department’s suggestion and carrying out discussion of team meetings

Joining external assessment

Making an annual or periodical supervision on risk assessment

Making an annual or periodical supervision on revising information security policy and manual.

Offering information which an annual or periodical ISMS managing-level review needs, to allow an information security implementation team to carry on an investigation

Making items of suggestions and advices according to executive results of implementation team meeting reports

Making an implementation and supervision on information security policy and manuals

Making supervision of relevant matters of management of business continuity

During in-service period
Inspection and audition team Duty assignment personnel Examining and investigating various security control mechanisms’ implementation situations and writing a report.

Proposing an examination and investigation report and making relevant suggestion items to executive secretary of information security once every six months.

Joining and implementing external assessment and corresponding measurements.

Implementing security checking of office security management every six months or periodically

During in-service period
ISMS system team Personnel of information room Implementing a risk assessment annually or periodically.

Scheduling various management systems annually or periodically.

Offering suggestions about information security to the executive secretary for information security.

Joining and implementing external assessment and corresponding measurements.

During in-service period


Positions Personnel Working Functions and Duties Tenure of Office
Information Security Implementation Team Personnel of information room and every unit’s personnel for business contact Carrying out management of information security system and developing information security control mechanism.

Offering the executive the results of information security and suggestions to executive secretary on information security once every year.

Offering teaching and guidance on the information security control mechanism

Joining and implementing external assessment and corresponding measurements.

Processing security checking on office security management once every month.

Carrying out tasks of making judgment on incidents and of making emergency rescue of a team.

Processing promotional training on information security.

During in-service period
Our Bureau’s all the staff Personnel of our Bureau specified in its organic law

Personnel engaged for posts

Making sure to follow every standard.

Joining and implementing external assessment and corresponding measurements.

During in-service period

During contract’s valid period

  1. Approaches of Implementation

According to standards of Information Security Management System of BS7799-2: 2002 and CNS 17800, the mode of “planning--implementing--checking--acting” is adopted to construct and maintain the management system of information security, carry out risk assessments, implement risk processing planning, make promulgation and enforcement and promotion and continuously monitor and investigate the implementation situation. Then, necessary corresponding measurements can be used to make sure that system meets this policy and is effectively operated.

  1. Principles of Implementation

8.1 In principle, our Bureau’s implementation principles of information security policy include accountability, awareness, ethics, multidisciplinary, proportionality, integration, timeliness, assessment and equality – all these principles are described as follows.

8.1.1 Accountability PrincipleAccountability and responsibility of information security need to be defined and confirmed clearly. 
8.1.2 Awareness PrincipleRelevant personnel need to be able to store proper information and security regulations, standards, pledges, or security control mechanism related to information system, understand threat and vulnerability related to information security. 
8.1.3 Ethics PrincipleInformation use and security implementation of information system need to meet working standards.
8.1.4 Multidisciplinary PrincipleRegulations, standards, pledges, or security control mechanism related to information system and information security must coverage all relevant units.
8.1.5 Proportionality PrincipleInformation security control mechanism needs to be balanced with risks caused by information leaking, alteration, and interrupted service. 8.1.6 Integration PrincipleRegulations, standards, pledges, and security control mechanism related to information security are equally important. They need to be integrated and also to be coordinated with our Bureau’s other policies and operating procedure.
8.1.7 Timeliness PrincipleAll departments and rooms need to cooperate with one another timely in order to prevent from or respond to incidents of security threats and damages of information system.
8.1.8 Assessment PrincipleIt is necessary to make a regular examination and investigation on information and risks of information system. 
8.1.9 Equity PrincipleWhen policies are fixed and arranged and security control mechanisms are selected, constructed and implemented, individual rights and dignities need to be respected.

8.2 According to the above principles, there are items in carrying out implementation as follows.

8.2.1 Accountability: A managing-level staff needs to have records of all steps of information services to make sure that all staff are responsible for their behavior. Record contents includes something newly added, altered, copied, deleted and other relevant information. In addition, managing-level staff note eery kind of using-level personal duties, responsibilities, dates and time of all important incidents. 
8.2.2 Education and Awareness: Managing-level staff needs to communicate with relevant personnel about this policy to make sure that all the staff have high awareness. Educational training can include norms, standards, operating procedures, guiding courses of action, responsibilities and duties, and relevant implementation measurements and failure results.
8.2.3 Information Management:Managing-level staff need to often make information categorizations, assessments and set up sensitive degrees and important levels as well as take responsibility for positioning of information. 
8.2.4 Environment Management:Directly aiming at substance environment of storage, transmission and employment of information and information assets, a managing-level staff needs to set up equipments in order to prevent from internal/external risks.
8.2.5 Personnel Qualifications:To carry out information assets and relevant security control mechanism of information system effectively, a managing-level staff needs to establish and identify characters and technique capacity of relevant personnel. 
8.2.6 System Integrity:A managing-level staff makes sure that various systems and application systems that our Bureau needs in business are constructed, maintained and protected.
8.2.7 Information Systems Life Cycle:A managing-level staff needs to make sure that various stages of system life cycle are listed within the security control scope.
8.2.8 Access Control:A managing-level staff member needs to construct a proper control mechanism to balance corresponding risks of storing and loading information and the relevant information system. 
8.2.9 Operational Continuity and Contingency Planning:A managing-level staff member needs to make a plan to let relevant information system be able to support needs of our Bureau’s operation of business continuity. 
8.2.10 Information Risk Management:A managing-level staffer needs to make sure that information security control mechanism and relevant assets’ value and possible threats/vulnerability are balanced. 
8.2.11 Network and Infrastructure Security:When an internet security control mechanism is constructed, it is necessary to consider the impact of the global basic facilities that are used.
8.2.12 Legal, Regulatory, and Contractual Requirements of Information Security:Managing-level staff need to assist gradual awareness and propose needs of information assets in legal regulations and contracts. 
8.2.13 Ethical Practices:When a managing-level staffer fixes and arranges and selects, or constructs and implements security control mechanisms, individual rights and dignities need to be respected.



Publisher:Railway Bureau, MOTC