Purpose of Data Security Management
1、Ensure protection of company processor, network devices and cyber security, to decrease risk of data being stolen, leak, alter, damage due to human negligence, intentional damage, or natural causes.
2、Ensure confidentiality, integrity and availability of company data.
Confidentiality: ensure data is solely available to authorized personnel
Integrity: ensure correct data is retrieved, without being tampered
Availability: ensure required data is available to authorized personnel
Content of Data Security Policy
1、Company data and information security management must follow related regulations enacted by government (such as: Cyber Security Management Act, Criminal Code, Classified National Information Protection Act, Patent Act, Trademark Act, Copyright Act, Personal Data Protection Act.)
2、Allocating management personnel in data security management unit, responsible for establishing data security policy and promotion affaires.
3、Performing training sessions for information security on regular basis, educate data security, related rules and regulations.
4、Establishing a mechanism of processor and network access management, coordinate the distribution and resources.
5、Before launching new system, possible risk and safety is taken into account to prevent data security damage.
6、Establishing machine room and environmental safety measurement, perform maintenance on regular basis.
7、Clear protocol for network system access rights, prevent unauthorized access.
8、Establishing internal audit plan, inspect periodically all employees and devices condition in the scope of information security management policy, execution of preventive measure according to audit report.
9、Establishing backup and trail for business continuity management, ensure uninterruptedness of organizational operation.
10、All employees are responsible for maintaining information security and abide by the regulations of company information security management standard.
11、If second outsourced is needed from outsourced service provider, should evaluate risk of data security, undertake proper supervision of the outsourced service provider in accordance with the provisions of these regulations.
12、In the process of managing internal and external cases, should indicate clearly the requirement of data security for related cases, ensure the confidentiality, integrity and availability of the cases, reduce risk of information leak (incudes personal data) and violation of regulations.
13、Conduct information security evaluation and audit at least once a year, to keep management policy, government regulations technology technique and company business in current development states, ensure feasibility and efficiency of the management policy, maintain the possibility of operation and providing appropriate services.
Risk Management Structure
1、IT department is responsible unit for data security, IT manager and IT associates are allocated in this department, responsible for setting up internal data security policy, plan and execute data security protection, as well as promote data security policy and implementation, announce company data security status on regular basis.
2、Auditing office is the inspection unit for data security, audit manager and auditor are allocated in this office, responsible for auditing status of internal data security. If any defect is discovered, inspected unit must provide improvement action plan, and trace for improvement result to reduce internal data security risk.
3、Operation of the organization rely on periodically audit and rotate management, ensure to achieve reliability goal and constant improvement.
1. Data security management
-Establish data security policy
-Establish data security operation procedure
-Educate data security policy and staff training
-mplement data security measure
3. Risk evaluation
-Evaluate data security risk
-Audit data resource
4. Risk improvement
-Improve internal operation procedure
-Acquire external solutions
Solution of Data Security Management
Mechanism of data security management：
1、Policy standard: establish data security management policy and standard to guide personnel operant conditioning
2、System protection: establish data security management system to implement data security and protection measures
3、Staff training: execute training on data security to promote awareness of all employee
Measures of Data Security Management
Policy standard：Company will establish data security policy and standard internally, employees are guided with data security behavior, related policy will be inspected yearly according to operational status and alter whenever needed.
System protection：To prevent internal and external risk, multi-layer network structure and data protection system are employed to improve overall data security. Additionally, audit mechanism for operation procedure and data security management tools are developed to ensure employee behavior comply to company policy standard, implementing measurement of data security management.
Staff training：Company perform periodically data security training sessions for new employee, and educate employees about data security in timely manner to improve associates data security knowledge and professional skills.
Data security policy and management measure：
|Management of rights||Employee ID, Rights management, System operation||ID rights management and audit
Regular inspection on access rights
|Access control||Employee access to internal and external system Security measure for data delivery||Control of internal and external access
Control of data leak
Tracking of operation
|External risk||Potential weakness of internal system
Measures of anti-virus and anti-hacking
|Processor vulnerability check and update measures
Anti-virus, anti-hacking, detection of trash or malware
|System accessibility||Status of system accessibility and measure for system disruption||Monitor accessibility status of system/network and reporting mechanism
Emergency response of service disruption
Data and system backup mechanism
Regular training for damage recovery
Company reporting procedure of data security as follow, data security incident report and management abide by the stated procedures standard.