Privacy protection and information security
|
● Completed ISO 27001 information security international certification
● Completed BS 10012 personal information
international certification
● A total of 1,568 people participated in information security-related education and training in 2022
|
|
● Introduced information security management
system (ISMS) and personal information
management system (PIMS)
● Developed a smart school administration
system and improved the campus information
equipment and environment
● Conducted information security education and
training
|
|
Information Security Management Policy
To create an information security environment for data, systems, equipment, and network communications, the School’s Office of Library and Information has formulated the Information Security Policy and introduced the Information Security Management System (ISMS), as well as established an Information Security Committee. Annual management review meetings are convened regularly to discuss the outcome of the previous management review, changes in internal issues and external issues, information security performance feedback and trends, feedback from stakeholders, and risk assessment outcome. Furthermore, the suitability of the Information Security Policy is evaluated based on the circumstances and trends.
Information Security Incident Management and Actions
If a suspected information security incident occurs, the personnel of the Office of Library and Information will determine the nature of the incident according to Information Security Incident Management Manual and report it to relevant units. In 2022, one information security incident took place in the School caused by vulnerabilities such as the weak password of the energy management system and the failure of authorization control. The information security notification was issued by the HITCON ZeroDay Vulnerability Reporting Platform. The problem was remedied by the contractor immediately, thus no data leakage occurred.
To improve the operation efficiency of the School’s information system and continue to elevate the system security level, the Office of Library and Information had enhanced the campus information environment by developing a smart school affairs system. Furthermore, vulnerability assessments and penetration tests were conducted to reinforce overall system security and formed a comprehensive information security protection network for the School.
Develop a smart school administration system
Develop a smart school administration system
|
|
Build a smart school
administration system |
Expand the school
administration system’s
functions |
Update the system to
improve performance |
Strengthen the school
administration system’s
security |
|
| Develop a high-quality, non-quantitative smart school administration management system based on the needs of the School’s administrative offices and teaching units |
Progressively expand and add to the existing school administration system’s functions to comply with regulations and administrative procedures and increase
efficiency |
| Update the obsolete FoxPro school administration system and introduce mainstream application technology to uplift development and maintenance performance |
| Abide by information security regulations and progressively improve the system every year, while vulnerability assessments and penetration tests are carried out to fortify the overall system security |
|
Bolster the
campus information
environment
|
|
Build a high-speed
campus network |
Establish a forwardlooking
computing
environment |
|
| Continue to renew outdated network equipment and cables, wireless environment, and reinforce network data center management |
| Expand the teaching research and special topic virtual platform and the CSU Cloud Desktop, promotion of public cloud service application |
|
Information Security Education and Training
The School regularly organizes education and training and internal/external audits to increase the faculty and staff’s awareness of information security and personal information protection. In 2022, the School’s Office of Library and Information conducted 5 online information security-related education and training courses (due to the pandemic at that time, on-line training were arranged), which were attended by 1,568 people.
| Name of 2022 information securityrelated education and training course |
Number of participants |
| Personal information verification |
376 |
| Personal information impact analysis |
430 |
| Risk evaluation |
343 |
| Personal risk management |
324 |
| Performance indicator evaluation |
95 |
Personal Information Protection
To ensure the protection and management of the personal information of the faculty, staff, and students, the School has stipulated personal information management policies and regulations based on the Personal Data Protection Act, Enforcement Rules of the Personal Data Protection Act, Implementation Measures for the Security Maintenance of Personal Data Files in Private Junior Colleges and Above and Private Academic Research Institutions, as well as other relevant laws and regulations. The Personal Information Management System
(PIMS) was introduced to preserve, track, and manage personal information. Also, the Personal Information Committee has been created to coordinate the planning of personal data protection operating principles and the implementation of related systems. In 2022, no leakage of personal information of the faculty, staff, and students that resulted in damages to the rights and interests of organizations or individuals took place.
Key points of personal information protection and control:
- Whether the protection of personal information complies with the requirements of relevant laws and regulations
- Whether the collection, processing, and utilization of personal information exceed the scope of the application
- Whether a personal information organization has been formed according to regulations
- Review whether the retention of personal information files complies with the requirements every year; regularly maintain the accuracy of personal information inventory data and conduct risk evaluations
- Whether the cross-unit data circulation has been reviewed by the responsible unit and kept records
- Whether the collection, retention, and destruction of personal information has been conducted according to management regulations
- Whether the personal information stakeholders’ rights are protected under Stakeholders Rights Management Regulations
- Whether written contracts are signed with the contractors processing the personal information; whether personal information collection and processing comply with statutory notices
- Whether emergency response measures are implemented in the event of a personal information security incident
Information Security and Personal Information Management System Certification
The School also regularly conducts the third-party certification for information security and personal information management system, thereby, establishing a management procedure that meets international standards to ensure the confidentiality, availability, and integrity of information on campus.
|
ISO 27001 Information Security Management System (ISMS) Certification
|
- Obtained the ISO 27001: 2013 international certification in 2018 with Student Status Management System and Employee Attendance Management System, Operation and Maintenance, and Management of Related Computer Room and Network Infrastructure Support Activities
- Included the Development, Operation, and Maintenance of the Independent Recruitment System of the Division of Continuing Education and the Part-time Insurance System in 2021
- Continued to review the four core systems in 2022 to ensure the validity of their certification within the scope
|
|
BS 10012 Personal Information Management System (PIMS) Certification
|
- The School introduced the PIMS in 2017 and obtained the BS 10012: 2017 international certification.
- In 2020, verification audits were conducted on five units with high personal information risks including the Office of Academic Affairs’ Registration and Curriculum Section, Office of Student Affairs Student Assistance Section, Personnel Office, Office of General Affairs’ Cashier Section, and Accounting Office.
- In 2023, verification audits and certifications will be carried out for the Division of Continuing Education’s Academic Affairs Section, Office of Student Affairs’ Extracurricular Activities Section, Personnel Office, Office of Admissions, Department of Computer Science and Information Engineering, and Department of Electronic Engineering.
|
