1. This policy is prepared in consideration of the business demand of this administration based on the Information Security Management Outlines of Executive Yuan and Each Affiliated Department, Information Security Management Regulation of Executive Yuan and Each Affiliated Department and Information Security Policy of and Planning Agency Ministry of the lnterior.

2. This policy is hereby prepared by the Administration of Kenting National Park（hereinafter the administration）to reinforce the information security management, guarantee the privacy, integrity and availability of information, the reliability of information equipments（including the computer hardware, software and periphery）and network system and the consciousness of colleagues upon information security, and ensure the above-mentioned resource exempted from the disturbance, destroy, in-break or any disadvantageous action and attempt.

3. The trans-department information security promotion organization（hereinafter the organization）is established to harmonize, plan, audit and promote the information security management affairs; the assistant operation of this organization shall be responsible by the information office of this administration.

4. The authority and responsibility are granted to the relevant department and personnel according to the following work division principles:
1）the research, discussion, preparation and evaluation of information security policy, plan and technical criterion shall be responsible by the information office of this administration;
2）the security demand research & discussion, management and protection of data and information system shall be responsible by each business department of this administration;
3）the information secret maintenance and security auditing shall be responsible by the civil service ethics office of this administration together with relevant departments.

5. The scope of this policy is as follows; the relevant department and personnel shall prepare the relevant management regulation or implementation plan upon the following proceedings and evaluate the implementing performance regularly:
1）personnel management and information security education and training;
2）computer system security management;
3）network security management;
4）system access control;
5）system development and maintenance security management;
6）information asset security management;
7）entity and environment security management;
8）planning and management of perpetual business running plan.

6. Personnel Management and Information Security Education and Training
1）The security evaluation shall be implemented upon the information related occupation and work, the eligibility of the personnel shall be evaluated prudently and the necessary assessment shall be implemented at the personnel employment and work & task assignation. Each business supervisor shall be responsible to supervise the information operation security of the staff and prevent any illegal and improper behavior.
2）The information security education & training and advocating shall be transacted regularly, the information security consciousness of staff shall be established and the information security level shall be advanced based on the different demands of management, business and information work.

7. Computer System Security Management
1）The information security demand shall be brought forward and researched in advance when transacting the information business outsourcing operation; the information security liability of the manufacturer and privacy regulation shall be stated definitely and listed in the agreement for the abidance by the manufacturer and the regular assessment.
2）The software shall be copied and used according to the relevant regulations or agreement, and the software use management system shall be established.
3）The necessary prevention and protection measures in advance shall be implemented, and the computer virus and other hostile software shall be detected and avoided to guarantee the normal operating of system.
4）The control and management system shall be established for each system alteration operation, and the record shall be made for reference.
5）The information security demand shall be researched and brought forward and the purchase specification shall be listed according to the national standard or the governmental information security criterion prepared by the competent authority for the purchase of information hardware and software facilities.

8. Network Security Management
1）The technologies or measures of different security grades such as data encryption, identity identification, electronic signature and seal, firewall and security leakage detection shall be adopted to prevent the in-break, destroy, falsification, deletion and unauthorized access of data and system based on the importance and value of data and system when opening the information system with external linkage operation.
2）The firewall and other necessary security facilities shall be implemented at the node connecting with the external network to control the data transmission and resource access between the external and internal network.
3）The internet and global information network shall be used for the information disclosure and circulation; the data security grade evaluation shall be implemented and the confidential, sensitive and personal data and documents without the consent of related parties shall not be disclosed on line.
4）The email use regulation shall be prepared, and the confidential data and documents shall not be sent by email or other electronic manners.
5）The network administrator can consider to control the user breaching the relevant regulations of this administration initiatively with relevant network technology under the principle that the normal network use won’t be interfered in order to prevent that the network user breaches the relevant network security regulation of this administration immodestly.

9. System Access Control
1）The system access policy and authorization regulation shall be prepared and the relevant authority and responsibility shall be told to the staff and user in written, electronic or other manner.
2）All authorities of the retired or dismissed staff upon each information resource shall be cancelled immediately and listed into the necessary procedure of retirement or dismission. The authority of staff shall be adjusted upon the position adjustment and arrangement in the time limit according to the system access authorization regulation.
3）The system user registration management system shall be established and the user password management shall be reinforced; the update circle of user password shall not exceed 6 months at most in principle.
4）The security control shall be reinforced and the personnel scroll shall be established to investigate their relevant security privacy liability when the system service manufacturer implements the system maintenance by remote login.
5）The information security auditing system shall be established and the information security auditing operation shall be implemented regularly or irregularly.

10. System Development and Maintenance Security Management
1）The information security demand shall be considered at the beginning phase of system life circle if the system is self-developed or outsourced; the security control shall be implemented upon the maintenance, update, online performing and edition alteration operation to prevent the improper software, leakage or computer virus destroying the system security.
2）The hardware and software implementer and maintainer of manufacturer shall be regulated and restricted upon the accessible system and data scope, and the long-term system identification code or password is forbidden. If the short-term and temporary system identification code or password need be issued for the manufacturer to use based on the actual demand of operation, the authority shall be cancelled immediately after it is used.
3）If the manufacturer is outsourced to implement and maintain important hardware and software facilities, the implementation and maintenance shall be performed under the supervision and accompanying of relevant personnel of use section of this administration.

11. Information Asset Security Management
1）The information asset catalog related with the information system shall be established, and the item, owner and security grade category of information asset shall be prepared.
2）The information security grade classification standard shall be established and the corresponding protection measure shall be taken according to the relevant regulations upon the state secret protection, protection of personal data processed by computer and governmental information disclosure.
3）The information listed in the security grade classification and the data output from the system shall be marked with proper security grade for the user to follow.

12. Entity and Environment Security Management
The entity and environment security management measure shall be prepared upon the equipment allocation, surrounding environment and personnel inward/outward control.

13. Planning and Management of Perpetual Business Running Plan
1）The perpetual business running plan shall be prepared, the influence of each man-made and natural disaster upon business operation shall be evaluated, the emergency and response operation procedure and the right and responsibility of relevant personnel shall be regulated, and the plan shall be drilled, adjusted and updated regularly.
2）The information security incident emergent processing mechanism shall be established; the information security incident shall be declared to the information department or personnel, the countermeasure shall be taken and the police shall be contacted to assist spying according to the stated processing procedure when it occurs.
3）The data security grade shall be prepared and distinguished according to the relevant regulation, and the proper and sufficient information security measure shall be taken according to different security grades.

14. This policy shall be evaluated once at least for each year to reflect the latest development condition of governmental decree, technology and business and guarantee the validity of information security practical operation. This information security policy will be implemented with the approval of the chief of administration, so does it at the modification.