1.Information security is the collective responsibility of all company employees. Employees at all levels must fully understand and fulfill their responsibilities.
2.To maintain the overall security of information assets, the establishment of information security goals, awareness, and action guidelines must consider:
- 2.1 Establishing a comprehensive information security organization;
- 2.2 Asset management;
- 2.3 Ensuring human resource security;
- 2.4 Ensuring physical and environmental security management;
- 2.5 Ensuring communication and operations management security;
- 2.6 Ensuring the establishment of secure access control mechanisms;
- 2.7 Ensuring the security of information system acquisition, development, and maintenance management;
- 2.8 Ensuring the proper handling of information security incidents;
- 2.9 Ensuring continuous business operations management;
- 2.10 Cryptographic security implementation;
- 2.11 Ensuring the secure operation of information facilities;
- 2.12 Ensuring the security management of suppliers;
- 2.13 Ensuring compliance and review of information security regulations;
- 2.14 Commitment to meeting applicable requirements related to information security.
3.The establishment and maintenance of an information security management system fully comply with legal and contractual security responsibilities, combined with the company's corporate risk management context.
4.To effectively control information security risks, risk assessment and operational management procedures, including risk assessment methods, information security legal and regulatory requirements, risk acceptance criteria, and acceptable risk levels, must be established and implemented.
5.Develop and drill an information security business continuity plan to ensure continuous operation of information services.
6.Clearly define usage permissions for information systems and network services to prevent unauthorized access.
7.Establish physical and environmental security protection measures for the server room and conduct regular maintenance.
8.Implement information security education and training, promoting information security policies and related implementation regulations.
9.Establish a management mechanism for information hardware and software to allocate and use resources effectively.
10.New information systems should incorporate information security factors before implementation to prevent situations that could compromise system security.
11.Information security policies should be regularly evaluated to reflect the latest developments in information security management, regulations, technology, and the company's business. This ensures the feasibility and effectiveness of the company's information security practices.
12.Ensure information security measures for mobile devices and remote usage to manage risks associated with using mobile devices. This includes protecting information accessed, processed, or stored in remote workplaces.
13.Provide guidelines for setting information security objectives.