Information Security
Information Security Management Policy
To establish a secure environment for data, systems, equipment, and network communications, the Office of Library and Information Services has formulated an Information Security Policy and implemented an Information Security Management System (ISMS). An Information Security Management Committee is in place to convene annual management review meetings, addressing the results of previous reviews, changes in internal and external issues, feedback on information security performance and trends, stakeholder input, and risk assessment results. Based on these discussions, the committee evaluates and confirms the continued relevance and adequacy of the information security policy in light of current conditions and emerging trends.
|
Develop Smart Campus Administration System |
Build Smart Campus Administration System |
Develop a high-quality, non-quantitative smart campus administration system based on the needs of all administrative and academic units. |
|
Expand System Functions |
Gradually expand and add functions to existing systems to meet regulations, align with administrative processes, and improve efficiency. |
|
|
Upgrade Systems for Higher Performance |
Upgrade and revamp systems, adopting mainstream application technologies to enhance development and maintenance performance. |
|
|
Enhance System Security |
Follow information security standards, improving systems annually through vulnerability scanning and penetration testing to strengthen overall security. |
|
|
Strengthen Campus Information Infrastructure |
Establish High-Speed Campus Network |
Continuously replace outdated network equipment, wiring, and wireless infrastructure, while enhancing data center operations management. |
|
Create Advanced Computing Environment |
Expand virtual platforms for teaching, research, and projects, as well as the CSU Cloud Desktop, and promote the use of public cloud services. |
Information Security Management System Implementation Flowchart
Information Security Incident Management and Actions
In the event of a suspected information security incident, staff from the Office of Library and Information Services follow the Information Security Incident Management Procedures to assess and report to relevant units. In 2024, the university recorded two incidents, none of which were severe. To enhance system efficiency and strengthen security levels, the office has advanced the development of a smart campus administration system, upgraded the campus information environment, and reinforced overall security through vulnerability scanning and penetration testing—building a comprehensive information security protection network for the university.
Information Security Training
The university conducts regular training and internal/external audits to strengthen faculty, staff, and student awareness of information security and personal data protection. In 2024, the Office of Library and Information Services held eight training sessions on information security and personal data protection, with a total attendance of 578 participants.
|
Training Session |
Date |
Number of Participants |
|
2024 Personal Data Protection Awareness & Case Study Session |
2024/2/01 |
134 |
|
2024 Personal Data Breach Simulation Drill |
2024/4/29 |
87 |
|
Information and Communication Asset Inventory Training (In-person) |
2024/3/13 |
76 |
|
Information and Communication Asset Inventory Training (Online) |
2024/3/15 |
20 |
|
Application System Protection Standards Training |
2024/4/17 |
31 |
|
Information and Communication Asset Risk Assessment Training (In-person) |
2024/6/13 |
36 |
|
Information and Communication Asset Risk Assessment Training (Online) |
2024/6/13 |
76 |
|
2024 Social Engineering Information Security Training |
2024/12/19 |
118 |
Personal Information Protection
To protect and manage faculty, staff, and student data, the university issued the Cheng Shiu University Privacy Protection Statement and, in compliance with relevant laws, established a personal data protection policy.
A Personal Information Management System (PIMS) supports data storage, tracking, and management, overseen by a dedicated committee. In August 2024, the university passed the SGS audit and obtained BS 10012 certification, with no data breaches reported that year.
Key Controls for Personal Data Protection
|
● Ensure compliance with all applicable regulations on personal data protection. |
|
● Verify that the collection, processing, and use of personal data do not exceed the authorized scope. |
|
● Confirm that the personal data protection organization is established in accordance with regulations. |
|
● Review annually whether the retention of personal data files meets legal requirements; regularly update inventory accuracy and conduct risk assessments. |
|
● Ensure that cross-unit data transfers are reviewed and approved by authorized units, with records maintained. |
|
● Manage the collection, storage, and disposal of personal data in accordance with established procedures. |
|
● Safeguard the rights of data subjects as stipulated in the Data Subject Rights Management Regulations. |
|
●When outsourcing personal data processing, sign a written contract and comply with legal notification requirements for data collection and processing. |
|
●Implement emergency response measures in the event of a personal data security incident. |
Information Security and Personal Data Management System Certification
The university regularly conducts third-party audits of its information security and personal data management systems to ensure data confidentiality, availability, and integrity.
In 2024, six core administrative systems—Student Information, Attendance, Continuing Education Enrollment, Work-Study Insurance, Course Syllabus, and Faculty Evaluation—were verified. The university obtained ISO 27001:2022 certification in August after an external audit on June 18.
From 2024, personal data management audits and maintenance are handled by external consultants, with certification discontinued. That year, internal audits covered the Admissions Office, Early Childhood Care and Education, and Civil Engineering departments.
|
ISO 27001 Information Security Management System (ISMS) Certification |
● 2018 – Obtained ISO 27001:2013 international certification for the scope of Student Information System and Employee Attendance Management System operations and maintenance, along with management of related data centers and network infrastructure support activities. ● 2021 – Expanded scope to include the development, operation, and maintenance of the Continuing Education Division Enrollment System and the Work-Study Insurance System. ● 2023 – Continued recertification of four core systems to maintain certification validity. ● 2024 – Continued recertification of four core systems, added two more core systems, and in August passed the external audit to obtain ISO 27001:2022 Information Security Management System certification. ● 2025 – Continuing recertification of six core systems to ensure certification validity. |
|
BS 10012 Personal Information Management System (PIMS) Certification |
● 2017 – Implemented a university-wide Personal Information Management System (PIMS) and obtained BS 10012:2017 international certification. ● 2020 – Conducted certification audits for five high personal data–risk units: Office of Academic Affairs (Registration and Curriculum Sections), Office of Student Affairs (Student Guidance Section), Office of Human Resources, Office of General Affairs (Cashier Section), and Office of Accounting. ● 2023 – Conducted certification audits for the Continuing Education Division (Academic Affairs Section), Office of Student Affairs (Extracurricular Activities Section), Office of Human Resources, Admissions Office, and the Departments of Computer Science and Electronic Engineering, and obtained certification. ● 2024 – Engaged consultants to conduct internal audits, focusing on the Admissions Office, the Department of Early Childhood Care and Education, and the Department of Civil Engineering, while continuing to implement all related procedures. |
