Information Security Policy
1. Policy Purpose
The Academia Sinica Grid Computing Centre for High Energy Physics and Scientific Computing (hereinafter referred to as “the Center”) establishes this Information Security Policy (hereinafter referred to as “the Policy”) to promote information security and cloud security management systems, to build a secure and trustworthy information operating environment, and to ensure the security of data, systems, equipment, and networks. This Policy aims to safeguard information security, enhance cloud security, and improve service quality.
________________________________________
2. Scope of Application
This Policy applies to all Center staff, partners, and external parties (such as government agencies, suppliers, etc.), all of whom are responsible for complying with the Policy.
________________________________________
3. All staff and external personnel should keep in mind the advocacy slogan:
“Information Security is Everyone’s Responsibility.”
________________________________________
4. Information Security Policy and Objectives
4.1 Information Security Management and Legal Compliance
4.1.1 All Center staff must sign the “Academia Sinica Employment Contract.” External project participants must sign the “External Personnel Agreement,” and must comply with relevant national laws and regulations, including but not limited to: National Secrets Protection Act, Trade Secrets Act, Personal Data Protection Act, Copyright Act, Criminal Code,Cybersecurity Management Act and its Enforcement Rules and subordinate regulations. Staff and external parties must not cause information leaks or engage in illegal activities.
4.1.2 Third parties entrusted with services must implement appropriate cybersecurity management measures or obtain third-party certification. If subcontracting is involved, the scope, parties, and subcontractors must also comply with information security requirements.
________________________________________
4.2 Access to commissioned, collaborative, or project-related data must be strictly controlled. Sensitive (confidential) information must be encrypted before transmission.
________________________________________
4.3 Cloud Service Security Management
4.3.1 In response to cloud service security risks, cloud services must be designed, built, and provided in accordance with ISO 27001 and ISO 27017 requirements, with proper risk management.
4.3.2 All internal personnel involved in cloud service design, planning, construction, and operations must sign documents acknowledging their legal responsibilities and obligations at the time of employment.
4.3.3 Internal personnel must sign confidentiality agreements to ensure proper control over confidential or sensitive data.
4.3.4 Access to system information follows the principles of least privilege and minimum necessary information, with account and role-based access control.
4.3.5 Only designated platform administrators are allowed to register and apply for system access rights.
4.3.6 Cloud services operate on a multi-tenant platform. Each tenant is allocated an independent virtualized space, ensuring that VM deployment and usage are isolated from other tenants.
4.3.7 Users will be proactively notified in advance of any platform optimization, adjustments, or changes that may affect services.
4.3.8 Cloud service change management must be handled by designated personnel.
4.3.9 Management access to VMs must be secured through encrypted connections such as SSH or VPN.
4.3.10 Cloud service account lifecycle management must be enforced.
4.3.11 The cloud platform must maintain historical records of all operations, including resource provisioning, modification, and decommissioning.
4.3.12 The cloud service provider is located in Taiwan and is responsible for storing and protecting customer data.
4.3.13 Violations and incidents must be communicated and shared to support investigation and evidence collection.
________________________________________
4.4 Information Security Objectives and Metrics
4.4.1 Confidentiality Objective: The number of detected incidents of sensitive data leakage must not exceed one per year.
4.4.2 Integrity Objective: The number of detected incidents of data tampering must not exceed one per year.
4.4.3 Availability Objective: The number of unexpected outages of the backbone network connection to Academia Sinica lasting over 48 hours must not exceed two per year.
4.4.4 Compliance Objective: The number of violations of national laws and regulations (e.g., National Secrets Protection Act, Trade Secrets Act, Personal Data Protection Act, Copyright Act, Criminal Code, Cybersecurity Management Act) must not exceed two per year.
________________________________________
5. Policy Review
5.1 This Policy must be reviewed at least once annually to ensure compliance with government regulations and to reflect the latest developments in information technology, thereby ensuring the effectiveness of information security management operations.
5.2 This Policy must be approved by the Management Committee or the Management Representative. Upon promulgation, it shall take effect and be communicated in written, electronic, or other forms to all staff, partners, and relevant units. Revisions shall follow the same procedure.
資訊安全政策
1. 政策目的:中央研究院物理所高能物理與科學計算技術中心(以下簡稱本中心)為推動資訊安全、雲端安全管理系統,建立安全及可信賴之資訊作業環境,確保資料、系統、設備及網路安全,特訂定「資訊安全政策」(以下簡稱本政策),以確保資訊安全、雲端安全及提升服務品質。
2. 適用範圍:所有本中心之同仁、合作夥伴、外部方(如行政機關、供應商等)等,皆有責任遵循本政策。
3. 本中心所有同仁、外部方人員謹記:宣導標語:「資通安全,人人有責」。
4. 資安政策及資安目標:
4.1 資訊安全管理與法規
4.1.1 本中心同仁均須簽署「中央研究院聘(僱)人員契約書」,外部方參加本中心專案人員均須簽署「外部方切結書」,並遵守「國家機密保護法」、「營業秘密法」、「個人資料保護法」、「著作權法」、「刑法」、「資通安全管理法」、「資通安全管理法施行細則」及資通安全管理法子法等國家相關法規之要求,且不得發生洩密或違法事件。
4.1.2 辦理本中心受託業務之第三方,其相關程序及環境應具備完善之資通安全管理措施或通過第三方驗證。第三方辦理受託業務其複委託之範圍與對象,及複委託亦應具備資通安全維護措施。
4.2 委製、共同合作或專案資料之存取或異動,專案檔案均應設置存取權限,敏感(機密)資訊傳輸前必須先行加密。
4.3 雲端服務安全管理:
4.3.1 因應雲端服務之資訊安全風險,依照ISO 27001及ISO 27017之資安要求,設計、建置與提供雲端服務,並做好風險管理。
4.3.2 所有雲端服務設計、規劃、建置、運維等相關內部⼈員,皆於任用時即簽署告知應負的法律責任與義務。
4.3.3 相關內部人員均了解並簽署保密切結文件,以對機密性或敏感性資料的控管。
4.3.4 內部⼈員對相關系統資訊存取,以最小權限、最少資訊為原則,並以帳號申請與角色分類控管權限。
4.3.5 雲端平台運維人員僅限定特定人員可註冊申請平台系統存取權限。
4.3.6 雲端服務為多租戶平台,每一租戶皆可享有獨立虛擬化使用空間,於部署VM服務和使用時,不與其他租戶間的服務資源互相影響。
4.3.7 雲端服務如需進行平台優化、異動調整等可能影響服務時,將主動提前通知用戶。
4.3.8 雲端服務進行變更管理時,由專人處理雲端服務任何相關問題。
4.3.9 雲端服務需透過SSH或VPN加密連線至VM進行管理,以確保連線安全。
4.3.10 落實雲端服務帳戶的生命週期管理。
4.3.11 雲端平台提供申裝資源的新增、異動、退租等所有操作時間歷史紀錄。
4.3.12 本雲服務提供商位於臺灣,可以儲存及保護雲服務客戶資料。
4.3.13 溝通違規行為與資訊共享,以協助調查與取證。
4.4 資訊安全目標及量測:
4.4.1 機密性目標及量測指標:每年進行統計遭查獲洩漏機敏資料件數不得超過一件。
4.4.2 完整性目標及量測指標:每年進行統計回報資料遭竄改件數不得超過一件。
4.4.3 可用性目標及量測指標:毎年進行統計連接院部主幹網路非預期中斷48小時件數不得超過二件。
4.4.4 適法性目標及量測指標:每年進行資訊安全管理制度作業檢驗,因違反「國家機密保護法」、「營業秘密法」、「個人資料保護法」、「著作權法」、「刑法」、「資通安全管理法」等國家相關法規件數不得超過二件。
5 政策審查:
5.1 本政策應至少每年評估審查一次,以符合政府相關法規之要求,並反映資訊科技之最新發展現況,確保資訊安全管理作業之有效性。
本政策須經管理委員會審查或管理代表核准,於公告日施行,並以書面、電子或其他方式通知所有同仁及合作廠商或單位遵守,修正時亦同。