header
header

資訊安全政策 Security Policy

壹、說明

  • 貨物通關自動化系統及其相關業務為本署核心業務。為保護本署此核心業務之相關 資訊資產之安全(資訊資產包括資料、系統、設備等),免於因外在之威脅,或內 部人員不當之管理與使用,致遭受竄改、揭露、破壞或遺失等風險,特制訂資訊安 全政策(以下簡稱本政策)。

貳、依據

  • 本政策係依據「資通安全管理法」、「關稅法」、「個人資料保護法」、 「財政部及所屬機關構資通安全政策及組織管理規範」等有關法令與規定,考量通關業務需求訂定。

參、願景

  • 本署願景如下:
    提供便捷安全的通關服務

肆、資訊安全政策

    • 一、資訊安全本質

      • 資訊安全之本質大致歸為以下三類:

        • 1. 可用性-Availability: 確保各項資訊資產能提供即時且正確的服務,以滿足使用者之 需求。

        • 2. 完整性-Integrity: 將資訊資產依重要性分類,並提供適當的保護以確保資訊資產 的完整性。

        • 3. 機密性-Confidentiality: 適當的劃分資料的機密等級,並依其機密等級予以適當的規範 及保護。依據本署核心業務之特性及願景,資訊安全即為確保 貨物通關自動化系統及其相關業務資訊資產之完整性、可用性 與機密性。

    • 二、目的

      • 為達本署對資訊安全維護的期許與要求,本署將以本政策為基礎,依據組織發 展需要,並考量資訊資產風險,建立一個完整、可行、有效之資訊安全管理系 統(Information Security Management System,以下簡稱ISMS),以 為本署資訊安全提供最佳之保障。符合ISO27001標準下列控制目標:依照營運 要求及相關法律與法規,提供管理階層對資訊安全之指示與支持。 -Clause A.5.1
        驗證範圍:

        • 1. 綜合規劃組、稽核業務組、關務查緝組、通關業務組、稅則法制組、 統計室、會計室及政風室對貨物通關自動化系統(含:關港貿單一窗 口、預報貨物資訊系統)之使用。
          2. 關務資訊組所負責貨物通關自動化系統之開發、維護、使用、操作, 及相關基礎設施安全控制。

    • 三、政策

      • 為達成上述目的,本署以相關政策為基礎,並依此訂定「資訊安全管理系統目標 清單」(如附件一)及「有效性量測表」(如附件二) 之指標,以期能有效地監控整 體資安制度的有效性。

伍、適用範圍

  • 本政策適用於本署所有同仁(含技工友、約聘/僱人員及約僱職代人員等)、各關、簽約 廠商、委外廠商及所有相關資訊資產。

陸、責任劃分

  • 1. 本署高階主管應積極參與資訊安全管理系統(ISMS)活動,提供對資訊安全管理系 統(ISMS)之支持。
    2. 關務署暨各關資通安全處理小組負責本署資訊安全之維護與落實,關於該小組之職責 ,請參考資訊安全組織之職掌與劃分程序書。
    3. 本署各組(室)應透過適當程序落實本政策之要求。
    4. 所有同仁、各關、簽約廠商及委外廠商皆應遵循本政策。
    5. 上述人員皆應透過適當通報機制,通報所發現之資訊安全意外事故或可疑之資訊安全 弱點。

柒、風險評估與管理

  • 本署為達到組織之願景,符合定量及定性化政策目標,特制定風險評估暨管理程序書, 以有效管理資訊資產面臨之風險,降低風險至可接受範圍

捌、資訊安全政策之遵循

  • 1. 本署所有同仁、各關、簽約廠商及委外廠商未遵循本政策或相關資訊安全規定, 或行使其他任何危及本署資訊安全之行為,都將訴諸適當之懲罰程序或法律行動; 對於資訊安全法令或技術提供改進意見,經執行確具成效者,應給予適當獎勵。
    2. 本署所有同仁、各關、簽約廠商及委外廠商皆應簽署資訊安全責任保密同意書, 並瞭解於本署工作期間所有取得之資訊皆為本署之資產,且不被允許 使用於其他未授權之用途上。

玖、資訊安全政策之修訂

  • 本政策應至少每年評估1次,以反映政府法令、技術及業務等最新發展現況,確保資訊 安全實務作業之有效性。

1. Statement:

  • The Customs Administration (hereafter referred to as the bureau) core operation is Cargo Clearance Automation System and its related operations. In order to protect the bureau core relevant information assets security (information assets include data, systems, equipments, and etc.), avoid external threat or inside personnel improper management and use, cause the risk of garbled, disclosed, destroyed or lost etc., we redact Information Security Policy (hereafter referred to as the policy).

2. Conformity:

  • The policy is defined according to including “Executive Yuan and its subordinates Information Security Management Point”, “Executive Yuan and its Subordinates Information Security Management Constraint”, “Ministry of Finance and its Subordinates Information Security Management Principle”, “Directorate General of Customs, Ministry of Finance and its Subordinate Offices Information Security Management Operation Regulation”, “Customs Law”, “Data Protection Law” relevant decrees and regulations ,etc. and considering customs clearance requirement.

3. Vision:

  • The bureau vision is:
    To provide convenient, efficient and safe customs clearance service.

4. Information security policy:

    • 4.1 The essence of information security

      • There are three categories for the essence of the information security roughly:

        • (1) Availability: Guarantee that every information assets can offer instant and correct service, in order to meet the user's demand.

        • (2) Integrity: Depend on information assets the importance classification and offer the proper protection to ensure integrality of information assets.

        • (3) Confidentiality: Properly divide data secret grade and give proper norm and protection in accordance with its secret grade.According to the characteristic of the bureau key business and scene of wishing, information security ensure the integrality, usability and confidentiality of the Cargo Clearance Automation System and relevant business information assets.

    • 4.2 Objective

      • In order to achieve the expectation and requirement of the bureau toward information security maintenance, we will based on this policy, will according to the organization request and consider the information assets risk, to establish an integral, feasible, effective information security management system (hereafter referred to as ISMS), so as to provide the best guarantee to the bureau information security.Conform with the control goals of ISO27001 standard: According to operation requiring and relevant laws and regulations, offer instruction and support on the information security to the layers of management. - Clause A.5.1
        Scope of ISMS:The Information Security Management System in relation to Customs Administration, Ministry of Finance, R.O.C. in the provision of development and maintenance of the Cargo Clearance Automation System including:

        • (1) Clearance System for Sea Cargo.
          (2) Clearance System for Air Cargo.
          (3) EDI System for Sea Cargo.
          (4) EDI System for Air Cargo.
          (5) Internet Declaration System for Air Cargo.
          (6) Simplifying Application System for Express Consignment.

    • 4.3 policy

      • Whether for reach above-mentioned purpose, the bureau divides two types of the relevant policy into quantitative and qualitative.
        (1) The quantitative policy:
        A. Guarantee the services availability of Cargo Clearance Automation System reach above 99% the whole year.
        B. The incidence happened less than two times every half year.
        C. Whether goods clear customs “Q&A form” (the document number: 0154029) of Cargo Clearance Automation System, Dealing with the information management department after receiving, need to finish in five days, the target of achievement rate is 95% in the whole year.
        D. Guarantee that relevant information security measure or norm accord with the current information security management standard, the requests (check once at least each half a year) of operating and relevant laws and regulations.
        E. To maintain and test feasibility of enterprise everlasting management plan (Test it once every half year at least).
        F. In accordance with its function of office and responsibility refer to “the hierarchical homework of the grade of responsibility of information security of government bodies (construct) implement the plan” the hours of education and training are fitted in the normal requirement, grant staff's to train properly information security and relevantly.
        G. Set up information assets risk assess, assess risk once every year at least.
        (2) The qualitative policy:
        A. Strengthen the inside control, prevent the improper access not authorized, so as to ensure that information assets proper protection.
        B. Protect the confidentiality and integrality of information assets properly.
        C. Guarantee information never disclose to the other person of the unauthorized during of transmitting, or because the behavior unintentionally.
        D. Guarantee information security the contingency or suspicious security weakness should be in accordance with following notifying properly that the mechanism reflects, give inspecting and handling properly.

5. Scope of application

  • This policy is suitable for all colleagues of the bureau (including skilled worker, employed-by-contract, work-study and alternative- military-service) in every tariff bureau, signing vender, the outsourcing vender and relevant information assets.

6. Responsibility

  • First, every department (office) first class executive manager of the bureau should actively participate in the ISMS activities, offer the support of the ISMS correctly.
    Second, the bureau and every tariff bureau deal with the maintenance and implementation that the group is responsible for this information security of the bureau, about the duty of this group ones that please refer to information and organize security are in charge of and the division procedure documentation.
    Third, this every department (office) of the bureau should implement the request for a policy through the proper procedure.
    Fourth, all of the colleagues, every tariff bureau, signing manufacturer,the outsourcing companies have responsibility to follow this policy.
    Fifth, above-mentioned personnel are responsible to report information security accident t or suspicious information security weakness through proper report mechanism when they found.

7. Risk assessment and management

  • The bureau accords with the quantitative and qualitative policy goal in order to reach the vision, Specially make risk assessing and procedure, in order to manage the information assets risk, reduce the risk to accept the range.

8. Compliance of the information security policy

  • A. all of the colleagues, every tariff bureau, signing manufacturer, the outsourcing companies has not followed a policy or relevant information security regulations, or any other behaviors of threatening the of information security of the bureau, will all appeal to the proper punishment procedure or legal action. As to the thing that the decree of information security or the technology offer and improve the suggestion, the persons who really have effects through carrying out should reward properly.
    B. all colleagues of the bureau is required to sign “Confidential Agreement on Customs Personnel Information Security Responsibility”, and be award of all information accessed during working period in the Customs Administration asset belong to The Customs Administration and not allowed to be used on other unauthorized purpose.

9. Revision of the information security policy

  • This policy should be reappraised at least once a year to reflect up-to-date status of government regulation, technique and operation and to ensure effectiveness of information security practice.

:::
開啟Open 關閉Closed
header