Cybersecurity Policy
The Small and Medium Enterprise Credit Guarantee Fund of Taiwan (hereinafter referred to as “TSMEG”), in adherence to the principle of maintaining a secure environment for business operations, is committed to the comprehensive protection of its information systems and the data stored, processed, transmitted, or disclosed therein. To prevent incidents such as damage, theft, leakage, alteration, misuse, or infringement, TSMEG has established the following Cybersecurity Policy:
-To ensure TSMEG’s information and communications security and prevent cybersecurity incidents.
-To enhance the efficiency of guarantee operations and achieve sustainable development objectives.
The related method are:
1. Strict compliance with the Cyber Security Management Act and its subordinate regulations, the Personal Data Protection Act and its enforcement rules, the Copyright Act, the Electronic Signatures Act, and other relevant laws.
2. To effectively ensure information security, TSMEG shall formulate security standards across all cybersecurity domains.
3. The objective of this policy is to protect the confidentiality, integrity, and availability of business information assets, thereby ensuring the delivery of secure, stable, and efficient information services.
4. All cybersecurity incidents or discovered vulnerabilities shall be reported in accordance with the TSMEG’s related procedures.
5. A comprehensive reporting and response mechanism must be in place to ensure the continuing operation of information systems and critical business in the event of cybersecurity incidents.
6. Information with personal data must be managed prudently in accordance with the Personal Data Protection Act and related regulations. Unauthorized collection or disclosure of business information is prohibited, and use for non-business purposes is strictly forbidden.
7. Senior management shall actively participate and support to cybersecurity activities.
8. All levels of employees shall have cybersecurity education, training, and awareness programs in accordance with the Cyber Security Management Act and working needs. This ensures that all employees understand the importance of cybersecurity, recognize potential security risks, and are familiar with their responsibilities to ensure compliance with security regulations.
9. Only legally licensed software shall be used. Downloading software from unknown sources is strictly prohibited.
10. Outsourced service providers must comply with TSMEG’s policy and all related procedures. Unauthorized use or misuse of TSMEG’s information assets is strictly prohibited. For services involving restricted date, a non-disclosure agreement must be signed.
11. Management review meeting shall be held at least once every year to assess the implementation of the TSMEG’s cybersecurity program, including establishing performance indicators and evaluating outcomes.
12. A risk assessment mechanism for information assets shall be implemented, and the risk assessment must be conducted at least once a year. Acceptable risk levels shall be reviewed and determined by the Cybersecurity Promotion Task Force.
13. An annual business continuity drill and cybersecurity incident reporting drill must be conducted, including testing and reviewing of the procedures.
14. Rewards and penalties related to cybersecurity matters shall be handled in accordance with the TSMEG’s work regulations.
This policy clearly affirms the importance of maintaining cybersecurity. All employees of TSMEG, outsourced vendors and their employees, and temporary personnel involved in business with the TSMEG, are expected to fully understand and comply with this policy to safeguard TSMEG’s information security and support sustainable operations.
This policy shall be enforced upon approval by TSMEG’s organizational representative, and the same procedure shall apply to any amendments.