I. Basis
1.Cyber Security Management Act
2.Enforcement Rules of the Cyber Security Management Act
II. Purpose
The policy is hereby set for the fortification of cyber security management; establishment of safe and reliable electronic
government; assurance of information, system, equipment, and internet security; and protection of the public's rights.
III. Cyber security policy
The cyber security policy of the National Property Administration (NPA) is ‘Cyber security is the responsibility of all’.
Each colleague must be familiar with and follow the cyber security protocol and concretely implement the protection
of information equipment and system in order to ensure the cyber security of the NPA.
IV. Definition of cyber security
It denotes the prevention of the information system or the information from unauthorized access, use, control, leak,
sabotage, change, destruction, or other forms of intrusion to ensure the confidentiality, integrity, and usability thereof.
V. Goal of cyber security
1. To ensure the confidentiality, integrity, and usability of the business information.
2.To ensure the effectiveness and continuity of the business information operations.
3. To ensure that cyber security measures comply with requirements of the policy and laws.
4. To ensure the proper protection and utilization of personal information.
5. To establish the concept of ‘Cyber security is the responsibility of all; cyber security protection begins with me;
security when using information is top priority’.
6. The occurrence of cyber security events will be no more than 3 per year.
7. Each person should receive 3 hours or more of general cyber security educational training per year.
VI. Principles and standards of cyber security
1. Each rule of the NPA’s cyber security management must comply with the related laws and regulations of the
government (for example: the Criminal Code, the Classified National Security Information Protection Act, the
Patent Act, the Trademark Act, the Copyright Act, and the Personal Information Protection Act).
2.The personnel of the NPA must receive cyber security educational training related to the job and be familiar with
the duty of cyber security of the job.
3.Cyber security monitoring, reporting, and response mechanisms must be established in order to ensure the
immediate processing of cyber security incidences.
4.Continued operational plan must be set. Regular drills must be held in order to ensure the continuance of business
operations.
5. The policy requires an assessment at least once a year and shall be revised as necessary in order to reflect the
up-to-date development status of the government’s cyber security management policy, laws and regulations,
technology and business and ensure the feasibility and effectiveness of cyber security practice.
6. The policy herein must be in written, electronic, or other formats to notify the personnel of the NPA and public,
private agencies (institutions) that have business with the NPA, and companies that provide information services to
comply with said policy.
VII. Scope of cyber security
The scope of cyber security is as follows. The relevant departments and personnel must set related protocols or
implementation plans based on the following items and review the results on a regular basis:
1. Personnel security management.
2. Computer system security management.
3. Internet management and access protocol.
4. Access control management.
5. Application system development and maintenance security management.
6. Information asset security management.
7. Real and environment security management.
8. Continued operations management.
9. Cyber security maintenance and audit/verification management.
VIII. Cyber security organization
1.Establishment of cyber security organization
The deputy supervising chief of the information business will be the Chief Cyber Security Officer and responsible
for promoting and supervising cyber security related affairs while also establishing cross-departmental ‘cyber
security handling unit’ which will coordinate cyber security policy, planning, resource dispatchment and other items.
2. Division of labor in the cyber security organization
(1)The principles of division of labor of cyber security organization are as follows:
1. The study on cyber security, planning, measures, and technical protocol, and the research, construction, and
assessment of security technology are to be spearheaded by the information department.
2. The study on data and information system security, usage control and protection are the responsibility of
related departments.
3. The maintenance and audit of information confidentiality are the responsibility of the internal affairs office and
related departments and units.
(2)Establish exclusive personnel for cyber security based on the Regulations on Classification of Cyber Security
Responsibility Levels.
(3)Shall there be insufficient manpower, ability and experience in cyber security, experts, scholars, organizations or
groups may be consulted to provide consulting services.
3.The connection between responsible agency and party of interest
(1)Maintain appropriate connection to related responsible agency and party of interest.
(2)Implement cyber security intelligence sharing according to the Cyber Security Information Sharing Regulations.
IX. Responsibilities
1. The personnel of the NPA must abide by the laws and regulations of the Classified National Security Information
Protection Act, the Cyber Security Management Laws and its branch laws and the Personal Information Protection
Act, Points on Information Security Management of Executive Yuan and Affiliated Agencies, and various operational
protocols of the NPA.
2. Each department and unit supervisor is responsible for abiding, supervising, and executing the policy herein and
related operational protocols.
X. Rewards and disciplinary actions
1. Personnel who perform well in the execution of cyber security operations will be rewarded according to ‘National
Property Administration, Ministry of Finance and Affiliated Agency Personnel Discipline Regulations’ and
‘Regulations on Working Temporary Personnel’.
2. Personnel who violate the cyber security regulations will be punished according to ‘National Property Administration,
Ministry of Finance and Affiliated Agency Personnel Reward and Punishment Regulations’ and ‘Regulations on
Working Temporary Personnel’; persons who violate provisions prescribed in Article 2 of ‘Public Functionaries
Discipline Act’ shall be processed according to Article 19 of said Act;persons suspected to have violated the
‘Criminal Code’ shall be moved to judicial agency for investigation; persons involved in national restitution will be
held accountable for damages according to the ‘State Compensation Law’.
3. Non-NPA personnel having violated the cyber security regulations will be held accountable for criminal and civil
responsibilities.
XI. Cyber security emergency event processing mechanism
In the event of a cyber security event, it shall be handled and processed according to the reporting and response
operational protocol of the NPA.
XII. Related documents and forms
1. Related documents
(1) 2A01 National Property Administration, Ministry of Finance Personnel Security Management Protocol.
(2) 2B01 National Property Administration, Ministry of Finance Computer System Security Management Protocol.
(3) 2C01 National Property Administration, Ministry of Finance Internet Management and Usage Protocol.
(4) 2D01 National Property Administration, Ministry of Finance Access Control Management Protocol.
(5) 2E01 National Property Administration, Ministry of Finance System Development and Maintenance Security
Management Protocol.
(6) 2F01 National Property Administration, Ministry of Finance Information Asset Security Management Protocol.
(7) 2G01 National Property Administration, Ministry of Finance Real and Environment Security Management Protocol.
(8) 2H01 National Property Administration, Ministry of Finance Continued Operations Management Protocol.
(9) 2I01 National Property Administration, Ministry of Finance Cyber Security Maintenance and Audit Control Protocol.
(10) 3001 National Property Administration, Ministry of Finance Points on Establishment of Cyber Security Processing
Unit.
2. Forms used
(1)4001 National Property Administration, Ministry of Finance 4-stage Cyber Security Document Table.
XIII. Attached regulations
The policy herein is enforced at the time of approval by the Director-general; same applies to revisions.