Cyber Security Strategy
Issued and implemented on August 3, 2021
This policy is formulated to (1) ensure the confidentiality, integrity, availability and legal compliance of the information assets of the Foundation for International Cooperation in Higher Education of Taiwan (hereinafter referred to as "FICHET"), (2) to comply with the requirements of relevant laws and regulations, and (3) protect FICHET and its information assets from any threats to its operations, whether internal or external, intentional or accidental.
2.1 The scope of this policy extends to all staff, internal and external contractors and suppliers, temporary staff (including interns, work-study students and other short-term workers), visitors and volunteers.
2.2 The scope of cyber security management includes 14 areas, and covers the improper use, leakage, tampering and destruction of information due to factors such as human negligence, intentional action, or natural disasters, resulting in various potential risks and hazards to FICHET:
2.2.1 Formulation and evaluation of information communication security policy.
2.2.2 Organization of information communication security.
2.2.3 Human resource safety management.
2.2.4 Information asset management.
2.2.5 Access control security management.
2.2.6 Cryptographic security management.
2.2.7 Physical and environmental security management.
2.2.8 Operational safety management.
2.2.9 Communication security management.
2.2.10 Security management for systems acquisition, development and maintenance.
2.2.11 Supplier security management.
2.2.12 Information communication safety incident management.
2.2.13 Operational continuity security management.
2.2.14 Compliance management.
In order to maintain the confidentiality, integrity, availability and legal compliance of FICHET’s information assets, and to maintain user data privacy, FICHET urges all colleagues to work together to achieve the following goals:
3.1 Protect cyber security by restricting access to authorized personnel only.
3.2 Protect the security of FICHET operations by preventing unauthorized data modification.
3.3 Establish a business continuity plan for FICHET to ensure the availability and continuity of business services.
3.4 Ensure that all business services provided by FICHET comply with all relevant laws or regulations.
4.1 FICHET shall establish a cyber security organization to coordinate the implementation and management of cyber security measures.
4.2 Management will actively participate in and support information/communication security management and will implement this policy through appropriate standards and procedures.
4.3 This policy applies to all FICHET staff, contractors, staff, external suppliers and visitors.
4.4 All FICHET staff members and external suppliers are responsible for reporting cyber security incidents or weaknesses through appropriate reporting mechanisms.
4.5 Any behavior that endangers FICHET information or communications security will be investigated for potential civil, criminal and administrative sanction appropriate to the seriousness of the circumstances, or will be dealt with in accordance with relevant FICHET regulations.
4.6 Information and communications security objective status will be regularly reviewed against an "Effectiveness Scale".
5.1 This policy should be reviewed and updated at least annually to reflect the latest developments in relevant laws, technologies and business operations, and to ensure FICHET’s ability to effectively maintain operations and provide services.
5.2 FICHET shall take account for internal and external issues stakeholder requirements when formulating the appropriate scope for the information security management system, with changes implemented only after review and confirmation by management.
5.3 The implementation of the information security management system shall be reviewed regularly or occasionally at management review meetings in response to internal or external changes that impact system implementation status, including changes to laws and regulations, internal developments at FICHET, cyber security incidents, and required adjustments in management system implementation.
This policy will be implemented following approval by the Chief Security Officer of information and communications. Notification of implementation and revisions will be provided to FICHET staff, relevant agencies and institutions and external suppliers in writing, electronic communication or by other means.
7. Appendices and reference documentation