In order to ensure the data security of yours and this website's, the "Taoyuan – First Stop in Taiwan" website (hereinafter "the Website"), in accordance with the Personal Data Protection Act, has formulated the following website security policy to articulate the Website's information security practices.
1. Scope of Policy
Tourism Bureau of Taoyuan City Government (hereinafter the Bureau), in order to promote tourism, market achievements of municipal development, and promote the active application of data, allows applications for free and non-exclusive authorization of the digital data the Bureau owns. By law, the intellectual property rights are owned by the Bureau or other rights holders. In order to clearly inform and manage the scope of effective use of the data, the Guidelines for Use of Digital Data have been put in place. Those with needs for use should apply to the Bureau following the guidelines.
2. The Control of Data Access
A policy for system access and authorization requirements should be set up. Employees and users shall be informed of their privileges and responsibilities in writing, electronically or otherwise.
All data access shall be cancelled immediately for employees who have resigned or have been terminated. The cancellation of data access should be included as a mandatory procedure in the employee exit process. In the event of duty adjustments or job transfers, data access should be revised accordingly within a time limit as provided by the policy for system access and authorization requirements.
A system for user registration management shall be established to enforce the management of user passwords. User passwords, in principle, shall not be used for more than six months.
Security control over system service providers who log into the system remotely to perform system maintenance should be enhanced. A roster should be established for personnel with such responsibilities in data security and confidentiality.
A data security audit system shall be established to periodically or irregularly conduct data security audits.
3. Website Security Measures and Rules
Any unauthorized attempt to upload or modify the services and information provided by the Bureau is strictly prohibited and may break the law. To ensure website security and that the Website can continue to serve all users, the following security measures have been taken:
At the nodes connecting to external networks, a firewall must be set up to control data transfer and resource access between the external and internal networks and to enforce a strict identification process.
A network intrusion detection system shall be implemented to monitor network traffic and identify unauthorized attempts to upload or modify webpage information or to cause damages.
Anti-virus software shall be installed for regular virus scans to provide users with a safe web browsing environment.
System backup procedures must be established to regularly perform necessary data and software backup such that normal operation can be quickly resumed in the event of disaster or storage media malfunction.
Simulations of hacker attacks shall be occasionally conducted such that system recovery drills in the event of security incidents can be performed to provide the appropriate level of security defense.
Confidential and sensitive data or documents are not to be stored in the public data system. Classified documents shall not be sent by e-mail.
All security maintenance e-mail notifications from relevant operating system vendors or application program vendors shall be automatically received. Following the recommendations in the e-mails, patches shall be installed.
Internet data transmission cannot be guaranteed to be 100-percent safe. The Website will strive to protect the security of the Website and your personal data. In some cases, the generally accepted standard SSL security system will be used to ensure that data transmission is secure. However, since the data transmission process involves the level of security of your surfing environment, we cannot guarantee the security of your data transmission to and from the Website. You must pay attention to, and assume the risks involved in, online data transmission. Please understand that the consequences resulting from this is beyond the Website's control.
4. Firewall Security Management
A firewall should be established for the gateway (such as a proxy server) to provide forwarding and control of network services such as Telnet, FTP, and WWW.
The firewall is the hub of the entire network of the Bureau. In case of unexpected events, a backup shall be kept for all firewall host hardware and software.
The firewall system routinely logs all activities and incidents on the entire network. The log data should include, at minimum, the date, time, origin and destination IP, and communication protocol of the incident, for the purpose of routine management and future audits.
The firewall log shall be inspected and analyzed by the firewall manager for irregularities. The logs shall be kept for at least one year.
To ensure its security, the firewall host computer can only be logged in from system terminals and not in any other way.
The security control settings of the firewall shall be reviewed frequently and adjusted as required to ensure that the security control goals set forth are attained.
The firewall system shall be backed up on a regular basis. Back-ups shall be done on a stand-alone computer. Any other method, including online backups, is unacceptable.
The firewall system software shall be frequently updated to cope with various cyber-attacks.
5. Data Back-up Protocol
In principle, the backup of important data should be maintained for at least three generations.
The backup data shall be protected by appropriate physical and environmental measures; the safety standards of which shall match the safety standards of the main operating location as much as possible. The security control measures for computer and media in the main operating location should be applied to the backup operating location as much as possible.
The backup data should be tested regularly to ensure their usability.
6. Data Recovery Protocol
When recovering website data, except in the event of unexpected major incidents resulting in difficulties in restoring the functioning of the host computer or network, the data shall be restored to normal operation within 24 hours. The backup data shall be maintained and updated to the most recent within two days such that, after the data have been restored, programs and databases can resume normal operation immediately.
The backup data should be tested regularly to ensure their usability.
After the data recovery operation is completed, relevant personnel should continue to monitor the system for three days to ensure its normal operation and that the newly added data are correct and without errors.
7. When any modification to this security policy is completed, we will immediately publish the new policy on the Website.
Due to rapid advancement of technology, incomplete laws and regulations, and unforeseeable environmental changes in the future, the Website will modify the description of its Website Security Policy on the Website as needed to ensure web security. When any modification to this security policy is completed, we will immediately publish the new policy on the Website and highlight it for you to click and read.