YDU Information Services

View count: 7636

Information Security Policy

Information Security Management Policy

1. Purpose

This policy establishes the university's information security management system to ensure the confidentiality, integrity, and availability of information assets, and to comply with relevant regulations, thereby protecting the rights and interests of all faculty, staff, and students.

2. Scope

Applies to university staff, external personnel with access to university business data, outsourced service providers, and visitors.

3. Definitions

  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity: The property of protecting the accuracy and completeness of assets.
  • Availability: The property that authorized individuals can access and use information as needed.
  • Information Security: The systematic application of policies, procedures, and controls to protect information assets from human error, malicious actions, or natural disasters.
  • Information Assets: All assets used in university operations, including personnel, documents, electronic data, systems, hardware, network devices, and facilities.

4. Responsibilities

The university has established the "Information Security and Personal Data Protection Committee" responsible for policy approval, supervision, security prevention, and crisis management.

5. Management Indicators

To evaluate the achievement of information security management objectives, the following management indicators are established:

Information Security Objectives

  1. No annual leakage of sensitive information of faculty, staff, or students.
  2. No annual tampering of faculty, staff, or student data.
  3. Ensure the university network and server room services maintain 97% uptime annually, with service interruptions not exceeding 8 times per year and no longer than 8 working hours each time.
  4. Ensure core business systems maintain 98% uptime annually, with service interruptions not exceeding 8 times per year and no longer than 8 working hours each time.

Information Security Management Items

The information security management scope covers 14 areas to prevent misuse, leakage, tampering, or destruction of data due to human error, malicious actions, or natural disasters. The potential risks to the university's server room and core systems are detailed below:

  1. Information security policy formulation and assessment
  2. Information security organization
  3. Human resource security
  4. Asset management
  5. Access control
  6. Cryptography (encryption control)
  7. Physical and environmental security
  8. Operational security
  9. Communications security
  10. System acquisition, development, and maintenance
  11. Supplier relationships
  12. Information security incident management
  13. Business continuity management in information security
  14. Compliance

Information Security Management Principles

  1. Critical information assets should be regularly inventoried, classified, and risk-assessed, with appropriate protection measures implemented accordingly.
  2. Access rights to important information assets should follow job responsibilities, using encryption and authentication mechanisms as needed.
  3. Complete reporting and response procedures must be established for information security incidents to ensure continuous operation of systems and business.
  4. Business continuity plans should be developed and regularly tested to ensure systems can recover within the planned timeframe in case of incidents.
  5. Relevant personnel should receive regular information security education and training.
  6. Periodic audits should be conducted to ensure implementation of security policies and procedures.
  7. Violations of policies should be addressed in accordance with relevant laws or university regulations.

6. Review

This policy shall be reviewed at least once a year to reflect updates in government regulations, technology, and business developments, ensuring sustainable operations.

7. Implementation

This policy is approved by the "Information Security and Personal Data Protection Committee," ratified by the university president, implemented, and announced. Revisions follow the same procedure.