NextDrive 資訊安全政策 / Information Security Policy
目的
為說明本公司資訊安全管理制度(以下簡稱本制度)實施之管理機制與相關規範程序,以確保本公司資訊資產之機密性、完整性與可用性,達成資訊安全目標並符合法規及客戶契約之資安要求,使其免遭受內、外部的蓄意或意外之威脅,特訂定「資訊安全政策」(以下簡稱本政策)。
範圍
適用於本公司資訊安全管理制度導入範圍內各單位執行其主管業務相關的資訊紀錄、實體環境、機器設備、軟/硬體、人員與程序及蒐集、處理、利用之書面、電子個人資料的人員均適用之。
作業內容
3.1 權責
3.1.1 本公司總經理核定本政策。
3.1.2 文件小組審查及推動本政策,並負責宣導達成資訊安全目標之要求,本政策經核定後實施,修正時亦同。
3.1.3 本公司同仁均應遵守本政策之相關規定。
3.2 資訊安全政策與目標
3.2.1 資訊安全聲明
為強調本公司落實資安管理之責,特訂定簡單、容易記憶及符合資安管理目標為原則之政策聲明:「落實企業永續發展,確保正常營運、保障公司機密資料與顧客隱私」。
3.2.2 依據 ISO 27001資訊安全管理系統各項要求,確保本公司資訊安全之規劃、實作、操作、監控、審查、維護及持續改善。
3.2.3 本公司成立資訊安全管理委員會,由本公司副總經理及各單位一級主管組成,統籌資訊安全事項推動、審查及核決。
資訊安全管理委員會應將影響達成資訊安全管理制度運作之外部與內部議題,關注方對資訊安全的要求事項(包含法令法規要求和契約義務),以及業務活動及與其他部門執行業務時之相關性等考量因素執行定期鑑別。
應對本公司內部與外部有關資訊安全議題之關注方進行溝通,例行性對內溝通以會議、訓練、公文或公告等方式執行;臨時性議題溝通方式依行政作業處理,並每年彙整更新。
3.2.4 本公司管理階層應展現對本政策之領導與承諾:
確保建立資訊安全政策與目標,且其內容符合本公司組織策略方向。
確保資訊安全管理制度要求整合於本公司作業流程中。
確保提供資訊安全管理制度所需資源。
與本公司同仁溝通確保資訊安全管理有效性之方法,以及遵循資訊安全管理制度要求的重要性。
確保資訊安全管理制度達成預定成效。
指導同仁對資訊安全管理制度之有效性做出貢獻,並提供相關支援。
推動持續改善。
3.2.5 本公司定期執行資訊安全管理制度之文件與紀錄管理。
3.2.6 應視本公司作業環境與營運之安全要求,執行風險管理作業,包含資訊系統分級、資訊資產盤點、識別風險、分析與評估風險、可接受風險計算與核可、核准與執行風險處理等。
3.2.7 定期執行資訊安全相關人員之能力與認知教育訓練。
3.2.8 注意委外安全與善盡委外監督管理之責。
3.2.9 為符合標準的雲端服務政策。針對在雲端環境中提供安全、保護和合規性的雲端服務。為確保本公司的雲端服務符合最高的安全標準,本公司已採取一系列的政策、措施和程序來保護客戶的資料和系統。
3.2.10 為確保本公司業務於遭遇資訊安全事件時,能迅速進行通報及緊急應變處置,以降低其衝擊與損害,確保業務能正常及時恢復運作。
3.2.11 為增進本公司面對資通安全威脅及風險之應變能力,隨時掌握最新的資安技術、網路攻擊及威脅態樣,利用資通安全情資分享機制傳遞與交換最新資安資訊情報,以利動態調整資安防護機制,達到最佳的防禦效果。
3.2.12 為確保本公司資訊安全層面之營運持續運作,明定營運持續管理之資訊安全層面控制原則,建立業務持續運作管理流程及架構,並撰寫及實施業務持續運作計畫。
3.2.13 為確保資訊安全各項控制措施之落實度,執行稽核作業。
3.2.14 為確保資訊安全管理事項不符合事項之矯正有效性,並每年檢視資訊安全實際執行情形,以達成本公司資訊安全持續精進之目標。
3.3 資訊安全目標與宣導評估
3.3.1 應遵循本公司資訊安全政策制定資訊安全目標。
3.3.2 本公司資訊安全目標如下:
確保資訊系統運作之機密性、完整性及可用性。
落實資訊業務之營運持續管理。
增進資訊系統資安防護。
提升本公司同仁資安認知與專業職能。
3.3.3 資訊安全目標之量測
每年由風險管理小組彙整提出資訊安全績效與控制措施有效性之量測項目、目標值、量測方式、必要所需資源及量測結果,以作為績效衡量的基準。
應每年定期執行監督與量測作業,並將結果提報資訊安全管理委員會進行審查,若有不符合目標值之量測項目,應由該項目負責人員執行矯正措施。
3.3.4 資訊安全目標之宣導
資訊安全管理委員會應對相關同仁宣導達成資訊安全目標之要求,管理階層應領導與激勵同仁努力達成目標。
To explain the implementation mechanism and related specification procedures of NextDrive Co., Ltd.'s information security management system (hereinafter referred to as "this system") to ensure the confidentiality, integrity, and availability of the company's information assets. This is done to achieve information security objectives, comply with regulations and customer contract security requirements, and prevent deliberate or accidental threats from internal and external sources. This document establishes the "Information Security Policy" (hereinafter referred to as "this policy").
Scope
Applicable to all units within NextDrive Co., Ltd.'s information security management system, executing information records, physical environments, machinery and equipment, software/hardware, personnel, and procedures related to the collection, processing, and use of written and electronic personal data.
Operations
3.1 Responsibilities
3.1.1 The general manager of the company approves this policy.
3.1.2 The document team reviews and promotes this policy and is responsible for advocating the requirements to achieve information security objectives. This policy is implemented after approval, and the same applies to revisions.
3.1.3 All employees of the company are required to comply with the relevant provisions of this policy.
3.2 Information Security Policy and Objectives
3.2.1 Information Security Statement
To emphasize the company's commitment to implementing information security management, a policy statement is established based on the principles of simplicity, easy memorization, and alignment with information security management goals: "Implement sustainable development, ensure normal operation, and safeguard company confidential data and customer privacy."
3.2.2 According to the ISO 27001 Information Security Management System requirements, ensure the planning, implementation, operation, monitoring, review, maintenance, and continuous improvement of information security at NextDrive Co., Ltd.
3.2.3 The company establishes an Information Security Management Committee, composed of the deputy general manager of the company and first-level supervisors from each unit, to coordinate the promotion, review, and decision-making of information security matters.
The Information Security Management Committee should regularly identify external and internal issues that affect the operation of the information security management system, focusing on requirements related to information security from stakeholders (including legal and regulatory requirements and contractual obligations), as well as considerations related to business activities and relevance to other departments when performing regular assessments.
Communication with stakeholders related to information security issues within and outside the company should be conducted routinely through meetings, training, documents, or announcements. Ad hoc communication for specific issues should follow administrative procedures, and an annual summary and update should be provided.
3.2.4 The company's management should demonstrate leadership and commitment to this policy by:
Ensuring the establishment of information security policy and objectives aligned with the company's organizational strategy.
Ensuring the integration of information security management system requirements into the company's operational processes.
Ensuring the provision of resources required for the information security management system.
Communicating with company employees to ensure the effectiveness of information security management and emphasizing the importance of following information security management system requirements.
Ensuring the achievement of the planned effectiveness of the information security management system.
Guiding employees to contribute to the effectiveness of the information security management system and providing relevant support.
Promoting continuous improvement.
3.2.5 The company regularly manages documents and records of the information security management system.
3.2.6 Conduct risk management operations based on the safety requirements of the company's operating environment, including information system classification, inventory of information assets, risk identification, risk analysis and assessment, acceptable risk calculation and approval, and execution of risk treatment.
3.2.7 Regularly conduct training and education for information security-related personnel.
3.2.8 Pay attention to outsourcing security and fulfill the responsibility of outsourcing supervision.
3.2.9 To comply with the standard cloud service policy, provide secure, protective, and compliant cloud services. To ensure that the company's cloud services meet the highest security standards, a series of policies, measures, and procedures have been adopted to protect customer data and systems.
3.2.10 To ensure that the company's business can quickly report and respond to information security incidents, reducing their impact and damage, and ensuring the normal and timely recovery of business operations.
3.2.11 To enhance the company's ability to respond to information security threats and risks, always stay updated on the latest information security technologies, network attacks, and threat patterns, and use information sharing mechanisms to transmit and exchange the latest information security information for dynamic adjustment of information security defense mechanisms, achieving optimal defense effectiveness.
3.2.12 To ensure the continuous operation of the company's information security, define the principles of information security level control for business continuity management, establish a business continuity operation management process and framework, and write and implement a business continuity plan.
3.2.13 Conduct audit operations to ensure the implementation of various information security control measures.
3.2.14 To ensure the effectiveness of information security management matters and correct non-compliance issues, review the actual implementation of information security every year to achieve the continuous improvement goal of the company's information security.
3.3 Information Security Objectives and Advocacy Assessment
3.3.1 Follow the company's information security policy to set information security objectives.
3.3.2 The information security objectives of the company are as follows:
Ensure the confidentiality, integrity, and availability of information system operations.
Implement the business continuity management of information operations.
Enhance information system security protection.
Improve the awareness and professional competence of the company's employees in information security.
3.3.3 Measurement of Information Security Objectives
The risk management team compiles and proposes measurement items, target values, measurement methods, necessary resources, and measurement results for information security performance and the effectiveness of control measures each year, as a benchmark for performance measurement.
Supervision and measurement operations should be carried out regularly every year, and the results should be submitted to the Information Security Management Committee for review. If there are measurement items that do not meet the target values, corrective measures should be taken by the responsible personnel for those items.
3.3.4 Advocacy of Information Security Objectives
The Information Security Management Committee should promote the requirements for achieving information security objectives to relevant employees, and management should lead and motivate employees to strive to achieve the objectives.