Information Security
Information Security Management Policy
To establish a secure information environment for data, systems, equipment, and network communications, the Library and Information Office of our school has formulated the "Information Security Policy" and implemented the Information Security Management System (ISMS). An Information Security Management Committee has been established, holding annual management review meetings. These meetings discuss various aspects such as the results of the previous management review, changes in internal and external issues, feedback and trends in information security effectiveness, feedback from stakeholders, and risk assessment results. Based on actual conditions and trends, the appropriateness of the information security policy is assessed and confirmed.
Information Security Incident Management and Actions
In the event of a suspected information security incident, personnel from the Library and Information Office will determine and report it to the relevant units according to the "Information Security Incident Management Procedure." In 2023, no information security incidents occurred at our school. To enhance the operational efficiency of our information systems and continuously improve system security levels, the Library and Information Office is developing a smart campus administration system and enhancing the campus information environment. By conducting vulnerability scans and penetration tests, we strengthen the overall system security, creating a comprehensive information security protection network for our school.
Develop a smart school administration system
Develop a smart school administration system |
● Build a smart schooladministration system ● Expand the school administration system’sfunctions ● Update the system toimprove performance ● Strengthen the schooladministration system’ssecurity |
● Develop a high-quality, non-quantitative smart school administration management system based on the needs of the School’s administrative offices and teaching units. ● Progressively expand and add to the existing school administration system’s functions to comply with regulations and administrative procedures and increaseefficiency. ● Update the obsolete FoxPro school administration system and introduce mainstream application technology to uplift development and maintenance performance. ● Abide by information security regulations and progressively improve the system every year, while vulnerability assessments and penetration tests are carried out to fortify the overall system security. |
Bolster the campus information
|
● Build a high-speed campus network. ● Establish a forwardlooking computing environment. |
● Continue to renew outdated network equipment and cables, wireless environment, and reinforce network data center management. ● Expand the teaching research and special topic virtual platform and the CSU Cloud Desktop, promotion of public cloud service application.
|
Information Security Management System Implementation Flow Chart
Information Security Education and Training
Our school regularly conducts educational training and internal and external audits to enhance the awareness of information security and personal data protection among faculty, staff, and students. In 2023, the Library and Information Office organized 11 sessions of information security and personal data protection training, with a total of 1,243 participants.
| Name of 2022 information securityrelated education and training course | Number of participants |
|
Personal Information Incident Drill |
91 |
|
Information and Communication Asset Inventory Training |
76 |
|
Application System Protection Standards Training |
26 |
|
Information and Communication System and Asset Inventory Guidance |
55 |
|
Risk Assessment Training |
56 |
|
2023 General Information Security Education Training (Supervisor Session) |
88 |
|
2023 General Information Security Education Training (Faculty and Staff Session) |
252 |
|
Information Security Management System (ISMS) Document Advocacy Course |
599 |
Personal Information Protection
To protect and manage the personal data of faculty, staff, and students, our school has issued the "Cheng Shiu University Privacy Protection Statement." In accordance with the "Personal Data Protection Act," the "Enforcement Rules of the Personal Data Protection Act," the "Implementation Measures for the Security Maintenance of Personal Data Files by Private Colleges and Universities and Private Academic Research Institutions," and other relevant laws and regulations, we have established personal data protection management policies and standards. Our school has implemented the Personal Information Management System (PIMS) to preserve, track, and manage personal data and has set up a Personal Data Committee to plan and promote the principles of personal data protection operations and related systems. In July 2023, we passed the BS 10012 certification through an SGS audit. In 2023, there were no incidents of personal data breaches that resulted in damage to the organization or individuals' rights.
Key points of personal information protection and control:
- Whether the protection of personal information complies with the requirements of relevant laws and regulations
- Whether the collection, processing, and utilization of personal information exceed the scope of the application
- Whether a personal information organization has been formed according to regulations
- Review whether the retention of personal information files complies with the requirements every year; regularly maintain the accuracy of personal information inventory data and conduct risk evaluations
- Whether the cross-unit data circulation has been reviewed by the responsible unit and kept records
- Whether the collection, retention, and destruction of personal information has been conducted according to management regulations
- Whether the personal information stakeholders’ rights are protected under Stakeholders Rights Management Regulations
- Whether written contracts are signed with the contractors processing the personal information; whether personal information collection and processing comply with statutory notices
- Whether emergency response measures are implemented in the event of a personal information security incident
Information Security and Personal Information Management System Certification
The School also regularly conducts the third-party certification for information security and personal information management system, thereby, establishing a management procedure that meets international standards to ensure the confidentiality, availability, and integrity of information on campus.
ISO 27001 Information Security Management System (ISMS) Certification |
• In 2018, we obtained the ISO 27001:2013 international certification with the scope of "Student Information Management System and Employee Attendance Management System, including their operation and maintenance, as well as the management of related data centers and network infrastructure support activities."
• Independent Admission System for the Continuing Education Department and the Work-Study Insurance System."
• In 2023, we continued to re-evaluate the four core systems to ensure the validity of the certification within this scope.
|
BS 10012 Personal Information Management System (PIMS) Certification |
• Since 2017, we have implemented the Personal Information Management System (PIMS) across the entire school and obtained the BS10012:2017 international certification.
• In 2020, we conducted certification audits for five high-risk units within the school, including the Registration and Curriculum Division of the Office of Academic Affairs, the Life Counseling Division of the Office of Student Affairs, the Personnel Office, the Cashier Division of the General Affairs Office, and the Accounting Office.
• In 2023, we will conduct certification audits and obtain certificates for the Academic Affairs Division of the Continuing Education Department, the Extracurricular Activities Division of the Office of Student Affairs, the Personnel Office, the Admissions Office, the Department of Information Engineering, and the Department of Electronic Engineering.
|
