Information Security Policy
The Small and Medium Enterprise Credit Guarantee Fund of Taiwan (hereinafter referred to as Taiwan SMEG) aims to secure transactions and business operations through the Information Security Policy (hereinafter referred to as the Policy). In order to protect the data stored, processed, transmitted or disclosed by Taiwan SMEG against the incidents such as data corruption, theft, leakage, tampering, misuse and infringement, the Information Security Policy is formulated as follows:
Ensure information security and prevent cyberattacks.
Fostering the efficiency of credit guarantee operations for sustainable development.
1.Abide by the Cyber Security Management Act and its sub-acts, the Personal Data Protection Act and its enforcement rules, the Copyright Act and Electronic Signatures Act, alongside other relevant laws and regulations.
2.Formulate security regulations for each information security field to ensure the information security of Taiwan SMEG.
3.The primary goal of the Policy is to protect the confidentiality, integrity and availability of business information to ensure the provision of safe, stable and efficient information services.
4.Follow the Taiwan SMEG’s information security event notification mechanism to report information security incidents or information security weaknesses discovered.
5.Formulate comprehensive reporting and response measures for information security incidents to ensure the continuous operation of information systems and important businesses.
6.The personal data should be processed carefully in accordance with the Personal Data Protection Act and relevant regulations. Collecting or disclosing the business information privately or for non-official use is strictly prohibited.
7.The senior executives of Taiwan SMEG shall actively participate in information security management, support and make the commitment to information security.
8.Conduct information security training programs in accordance with the provisions of the Cyber Security Management Act and the basis of the personnel’s roles, functions and job levels. The training programs actuate the personnel to understand the importance of information security and all possible security risks. Meanwhile, the training programs raise the personnel’s awareness of information security, and be familiar with the information security responsibilities at work.
9.Only use software with legal copyright and licenses, and avoid downloading software from unknown sources online.
10.Subcontractors shall abide by the provisions of the Policy and related procedures, and shall not use or misuse the data of Taiwan SMEG without its authorization. The subcontractors shall sign a non-disclosure agreement when dealing with information security concerning businesses.
11.Hold at least one meeting every year to review the implementation of the information security policies, establish the measuring indexes and evaluate the results.
12.Establish a risk assessment mechanism for information assets and conduct a risk assessment at least once a year, with the risk value to be determined by the Information Security Team.
13.Conduct drills, tests and reviews of the information system operation and the reporting mechanism of information security incidents at least once a year.
14.To reward and punish staff regarding the information security matters follow the Work Rules of Taiwan SMEG.
The Policy clearly states the importance of information security. All staff of Taiwan SMEG and subcontractors shall be aware of the Policy in order to maintain information security and sustainability of the operation.
The Policy shall be promulgated after being approved by the representative of Taiwan SMEG; the same applies in amending the Policy.