YDU Information Services

View count: 8162

Information Security Management (ISMS)

Overview of Information Security Management

To ensure the confidentiality, integrity, and availability of the university’s information assets, and in compliance with relevant laws and regulations, the university has implemented the Information Security Management System (ISMS) since 2009 to strengthen cybersecurity protection. Through multiple external audits and certifications, our information security measures have been fully recognized:

  1. In 2009, the Information Technology Office introduced the ISMS framework.
  2. In July 2010, we passed a third-party external audit by the Information Security Certification Center for educational institutions.
  3. In 2013, 2016, and 2019, we passed security certifications under the latest standards.

These achievements demonstrate the university’s strong capability in safeguarding information assets and our continuous maintenance of certifications to ensure ongoing improvements in information security management.

Promotion of ISMS

Since 2023, the university has fully implemented ISMS, actively aligning with the Ministry of Education’s cybersecurity performance indicators. We established the “Cybersecurity Steering Committee,” responsible for reviewing security goals and policies, monitoring implementation across the university, and ensuring continuous improvement. The committee also advances security management based on policies, laws, and national cybersecurity requirements.

Below are the main security measures adopted while providing convenient information services:

Information Security Certificate

Main Security Measures

The university continuously strengthens its information security management mechanisms in accordance with the Ministry of Education’s policies and international security standards to ensure the stability and safety of campus information systems and digital services.

Security Management and Policies

  • Established ISMS and obtained information security certifications within the education system.
  • Implemented campus policies in line with the “TANet Information Security Management Program.”
  • Enforced the principle of “default deny, exception allow” for network services and protocols.
  • External maintenance vendors must obtain approval before remote access is granted.
  • Prohibited the use of PRC-branded software, hardware, and services per Executive Yuan policies, and incorporated this into training programs.
  • Contracts and venue rental regulations specify restrictions on products that may endanger national cybersecurity.

Network and System Protection

  • Real-time detection and blocking of malicious attacks through automated network monitoring.
  • Implemented dual-layer firewall systems to prevent external intrusions.
  • Adopted SSL VPN for secure remote connections.
  • Upgraded backbone network to 10Gbps, with advanced firewalls and intrusion detection systems.
  • Established offsite backup and disaster recovery mechanisms.
  • Consolidated and streamlined campus IT systems to reduce system numbers and enhance management.
  • Decommissioned or restricted access to idle or temporary websites for security control.

Equipment and Environmental Security

  • Critical information systems are centrally managed in the IT Office’s data center per MOE guidelines.
  • Built a private cloud to support university-wide teaching and administrative services.
  • Implemented smart card access control, surveillance, and temperature/humidity monitoring in data centers.
  • Provided remote monitoring and control to ensure stable operations.
  • Maintained system logs for at least six months with regular backups and drills.

Information Service Security

  • Developed a personal information portal with SSL and single sign-on mechanisms.
  • Deployed anti-spam and anti-virus systems to secure email platforms.
  • Promoted SSH for encrypted remote connections to prevent data leakage.
  • Implemented automatic antivirus updates to enhance protection.
  • Designed automated password management and reset mechanisms for account security.

Security Education and Drills

  • Held annual cybersecurity workshops to improve awareness and self-protection skills.
  • Conducted regular social engineering drills with follow-up training for affected staff.
  • Integrated cybersecurity policies and standards into new employee and campus-wide training programs.
  • Required new employees to sign the “Information Security Awareness Guidelines.”