資通安全 強化專區

IntroductionRegulationsNewsTrainingDownloadsLinks
Data ProtectionIP AwarenessSocial Engineering
Higher Education Sprout Project

Our school, in order to implement information security and personal data protection management, has established the "Information Security and Personal Data Protection Promotion Committee," which is responsible for the overall coordination, planning, resource allocation, and policy formulation related to information security and personal data protection at our school.

  1. The convener shall be the Vice President (Chief Information Security Officer), responsible for supervising the promotion, coordination, and oversight of the school's information security and personal data protection management policies.
  2. The Executive Secretary shall be the Director of the Library and Information Services Office (Information Security Officer), responsible for handling the promotion of the school's information security and personal data protection matters.
  3. Ex-officio members: Heads of all administrative and academic units (including teaching units).

Under the committee, three working groups are established: Information Security and Personal Data Protection Implementation, Education and Training, and Information Security and Personal Data Protection Audit. Members of each group shall be designated by the convener and may include personnel assigned from administrative and academic units. They are responsible for the execution and liaison of information security and personal data protection within their respective units.

The university promotes relevant regulations

  1. 元智大學資通安全暨個人資料保護推動委員會組織辦法
    Yuan Ze University Cyber Security and Personal Data Protection Committee Rules

  2. 元智大學資通安全暨個人資料保護管理要點
    Yuan Ze University Cyber Security and Personal Data Protection Guidelines

  3. 元智大學資通安全維護計畫
    Some content has been redacted for sensitive information. To access the full file, please submit a request.
    Yuan Ze University Cyber Security Plan

Yuan Ze University Cyber Security and Personal Data Protection Committee

The convener shall be the Vice President (CISO), responsible for supervising the promotion, coordination, and oversight of the university’s information security and personal data protection management policies.

Matters Personnel Should Know

I. Information Security Policy

To strengthen the University’s information security management, prevent intentional or accidental threats from internal and external sources, and protect against unauthorized access, use, control, disclosure, destruction, alteration, or other forms of compromise to the University’s information environment, this policy is established to ensure the Confidentiality, Integrity, and Availability of information assets. All faculty and staff are required to comply with the following:

  1. Establish an information security risk management mechanism, and regularly review its effectiveness in response to changes in internal and external information security conditions.
  2. Protect the confidentiality and integrity of sensitive information and information systems, preventing unauthorized access and tampering.
  3. Ensure that authorized users can access information and systems when needed.
  4. Comply with applicable laws and regulatory requirements.
  5. Assess the impact of human-made or natural disasters, and develop recovery plans for core information systems to ensure the continuity of essential operations.
  6. Strengthen the resilience of core information systems to maintain uninterrupted University operations.
  7. Provide information security education and training in response to evolving threats, enhancing staff awareness. All faculty and staff must actively participate in such training.
  8. Implement disciplinary measures for personnel who violate information security requirements in the course of their duties.
  9. Do not open emails from unknown or unidentifiable senders.
  10. Prohibit multiple users from sharing a single system account.

II. Information Security Objectives

(A) Quantitative Objectives

  1. Ensure data center operation and maintenance services achieve an availability rate of at least 97% during annual working hours.
  2. Ensure that no Level 4 information security incidents occur throughout the year.
  3. Achieve an email social engineering drill open rate below 10% and an attachment click rate below 6%.
  4. Ensure that all employees complete the required information security training hours in accordance with their roles and responsibilities under the Information Security Management Act, with a 100% completion rate.

(B) Qualitative Objectives

  1. Strengthen internal controls to prevent unauthorized access and ensure appropriate protection of information assets.
  2. Meet the requirements of information security responsibility classification and reduce exposure to security risks.
  3. Ensure that all information security incidents or suspected vulnerabilities are reported through proper channels, investigated, and appropriately addressed.

(C) Approval Procedures for Policy and Objectives

In accordance with the “Yuan Ze University Information Security and Personal Data Protection Promotion Committee Charter,” the University shall review its information development strategies, policies, and objectives annually. Upon approval by the Committee, the policies and objectives shall be submitted to the Administrative Council for deliberation and final approval by the President.

(D) Promotion of Policy and Objectives

The information security policy and objectives shall be communicated to all personnel and stakeholders (e.g., IT service providers) through written documents, email, website announcements, or other appropriate means, and their implementation effectiveness shall be reviewed.

(E) Periodic Review Procedures

The information security policy and objectives shall be reviewed annually. Revisions shall be made as necessary in response to organizational, operational, legal, or environmental changes.

  1. Information Security Awareness: Regularly update passwords, apply program updates, and exercise caution when downloading files.
  2. Within the office environment, only use information equipment, networks, and software provided and authorized by the University.
  3. During working hours, do not access non-work-related websites. Avoid malicious or phishing websites. Report any abnormal connections to the information security contact point.
  4. Do not use official email accounts to register for non-official websites such as social media platforms or e-commerce services.
  5. Official communications and data transmission must be conducted using official email accounts. Non-official email accounts must not be used to send or discuss official information.
  6. When using instant messaging applications, do not transmit sensitive official information.
  7. Confidential documents transmitted electronically must be encoded and encrypted.
  8. Retrieve documents immediately after using copiers, printers, or fax machines.
  9. After work hours or when leaving the office, store business-related documents in cabinets or folders. Do not leave important documents directly on desks.
  10. Account passwords must be properly safeguarded. Personal passwords must be at least 8 characters long and changed annually. If a password leak is suspected, promptly change the password and notify the information security contact point.
  11. Configure computer screen savers with password protection to activate after 10 minutes of inactivity.
  12. For outsourced operations involving ICT products or services, personal data, or intellectual property, contracts must include clauses on “Information Security and Confidentiality Responsibilities” and “Intellectual Property Protection.” The Information Security and Confidentiality Regulations must also be attached as part of the contract.
  13. Any information security concerns or anomalies must be reported immediately to the information security contact point.
  14. Comply with the Personal Data Protection Act and the Information Security Management Act.
  15. I have thoroughly reviewed the University’s Information Security Enhancement Section and understand the University’s information security vision: to strengthen personnel awareness, prevent data leakage, implement daily operations, and ensure service availability.
  16. Information Security Contact Point: Office of Library and Information Services, Network and Media Division – Tel: +886-3-4638800 ext. 3109

1. Encryption Protection Measures

  • Confidential information of the University must be encrypted during storage or transmission.
  • Information assets classified as “Sensitive” or “Restricted” must be encrypted or otherwise protected when stored on portable devices or media, to prevent leakage in case of loss.
  • The University’s encryption protection measures shall comply with the following:
    1. Users must update encryption devices and back up keys.
    2. Decryption information must not be retained.
    3. If encrypted information shows signs of being compromised, it must be changed immediately.

2. Principles of Personal Data Collection

  • Collection Statement: At the beginning of forms, clearly inform individuals of the purpose, processing, and use of personal data.
  • Minimal Collection Principle: Collect only necessary information, avoiding excessive collection to reduce storage burden.
  • Protection of Responses: Prevent accidental disclosure of responses.
  • No Online Publication: Do not enable functions that publish responses online.
  • Restricted Access: Ensure access rights are limited to authorized personnel only.
  • No Shared Folders: Do not store personal data in shared folders.

3. Media Protection Measures

  • Confidential or sensitive data stored on USB drives, disks, or similar media must be separated from general data and properly safeguarded.
  • When transmitting information via physical storage media, ensure proper packaging, assign appropriate personnel for delivery, and retain delivery and receipt records.
  • To reduce the risk of media degradation, transfer stored information to other media before it becomes unreadable.
  • Confidential and sensitive storage media, including paper documents or backup tapes, must be kept in locked cabinets, with keys managed by designated personnel.

4. Computer Usage Security

  • Desktop and Screen Security: Personal computers, servers, and hosts must be configured with password-protected screen savers (activation within 10 minutes). Computers not in use after work hours must be shut down.
  • Software Installation: To control the use of “freeware” or “shareware,” users must understand copyright requirements and must not install or distribute unauthorized software.
  • Virus Prevention: Servers and personal computers must install antivirus software where available.
  • System Security: Hosts, network devices, and software/hardware must be regularly updated with patches.
  • Office Security: Printed documents must be retrieved immediately after printing.

5. Malware Prevention

  • Windows hosts and personal computers must install antivirus software, update to the latest patches and virus definitions, and promptly fix vulnerabilities.
  • Portable devices or media from external sources must be verified as virus-free before use.
  • Emails must be scanned by antivirus software. Do not open unknown files, emails, or attachments to avoid infection.
  • Configure browser security settings at medium risk level or higher.
  • Unauthorized installation or distribution of unlicensed software is prohibited.
  • Known or suspected malicious websites must not be accessed.

6. Physical Environment Security

  • Follow desktop and screen security rules: keep desks clear and safeguard important documents.
  • Sensitive or restricted data stored on portable devices or media must be encrypted or protected, and backed up before becoming unreadable.
  • According to asset disposal regulations, sensitive or restricted information assets must be stored in locked areas with access control.
  • Sensitive systems must be isolated in accordance with application system testing/production and database security maintenance rules.
  • Paper documents and portable storage media containing personal data must be locked in drawers or cabinets when not in use or after work hours.

7. Mobile Device Security

  • When using portable devices or media, users must prevent data leakage or harm to organizational interests. Supervisors must oversee data transfer in and out, and remind staff of their responsibilities. Private portable devices or media may only access official data after risk assessment.
  • In work areas handling internal-use or higher-level data, photography or screen capture is prohibited without authorization. Use of such devices requires supervision by area managers.

8. Email Usage

  • Official documents and data classified as internal-use or above must be encrypted before being sent externally as email attachments.
  • Emails containing personal data must be encrypted.
  • Digital signatures must be applied to prevent anonymous or forged emails.
  • Official email accounts must not be used for unlawful activities or infringement of others’ rights (e.g., mass spam, chain letters, denial-of-service attacks, fraud, defamation, obscenity, harassment, illegal software trading, or other unlawful content).
  • Comply with the University’s “Campus Network Usage Regulations” and “Email Usage Regulations.”

9. Instant Messaging Software

  • When using email, instant messaging, external applications, or information exchange platforms, staff must establish appropriate control procedures for different levels of information assets to ensure adequate protection.
  • To prevent unauthorized access to confidential data, access control principles must be established and enforced in accordance with the “Asset Management Procedures” and “Data Exchange Regulations.”
  • Sensitive official information must not be transmitted via instant messaging software.

I. Compliance with the Cybersecurity Act

In accordance with the requirements of the Cybersecurity Act, all government agencies and institutions must complete the mandated information security education and training hours before the end of each year.

(A) Legal Basis for Education and Training

  • According to Article 4, Paragraph 4 of the “Regulations on the Classification of Information Security Responsibility Levels for the Ministry of Education, Its Agencies, and Schools”, the University’s information security responsibility level is classified as Level C.
  • In accordance with the “Regulations on the Classification of Information Security Responsibility Levels” under the Cybersecurity Management Act, and specifically Appendix 5: Matters to Be Implemented by Government Agencies at Level C, the University must implement measures under the “Awareness and Training” category, specifically “Information Security Education and Training.”

(B) Training Hour Requirements

Agencies must ensure that personnel complete training hours in accordance with their designated information security responsibility level:

  • Dedicated Information Security Personnel (or those with designated responsibilities): Each individual must complete at least 12 hours per year of “Information Security Professional Training Courses” or “Information Security Competency Training.”
  • IT Personnel (excluding dedicated information security staff): Each individual must complete at least 3 hours every 2 years of “Information Security Professional Training Courses” or “Information Security Competency Training,” and at least 3 hours per year of “General Information Security Education and Training.”
  • General Users and Supervisors: Each individual must complete at least 3 hours per year of “General Information Security Education and Training.”

(C) Course Requirements

  • Information Security Competency Training: Training hours must be obtained by attending courses organized by training institutions certified by the Administration for Cyber Security, Ministry of Digital Affairs (Cybersecurity Talent Training Service Network).
  • Information Security Professional Training: Courses should correspond to the strategic, managerial, and technical aspects outlined in the Information Security Competency Development Framework. (See: https://ctts.nics.nat.gov.tw/about/Training)
  • General Information Security Education and Training: Courses covering general information security concepts or internal awareness programs on the agency’s information security management regulations.

II. Training Resources

  • General Information Security Courses organized annually by the Office of Library and Information Services (announcements to be made separately). 【General】【Professional】
  • E-Government Learning Platform: https://elearn.hrd.gov.tw 【General】【Professional】【Competency】
  • Campus Network Center Courses 【Professional】【Competency】
  • Online Courses by the Information Security Certification Center for Educational Institutions 【Professional】【Competency】
  • Cybersecurity Talent Training Service Network 【Competency】
pattern1.png

Information Security–Related Website Links

Information Securit

Cybersecurity Administration – Information Security Education and TrainingNational Institute of Cyber Security – Cybersecurity Talent Training Service NetworkTaiwan Computer Network Emergency Response and Coordination Center (TWCERT/CC)Taiwan Academic Network Computer Emergency Response Center (TANet CERT)Information Security Certification Center for Educational Institutions

Personal Data Security Related

National Development Council – Personal Data Protection SectionPersonal Data Protection ActEnforcement Rules of the Personal Data Protection ActMinistry of Education – Guidelines for Personal Data Protection ManagementMinistry of Education – Basic Measures and Practices for Personal Data Security Protection

Intellectual Property Rights Related

Intellectual Property Office, Ministry of Economic AffairsCopyright Protection and LicensingMinistry of Education, Department of Information and Technology Education – Online Intellectual Property RightsIntellectual Property Education Resources Network for Primary and Secondary SchoolsMinistry of Education – Taiwan Academic Network Information and Education Resource Center