The Investigation Bureau of the Ministry of Justice (MJIB) formulates this policy in order to strengthen its information security management and that of its subordinate organizations; establish a credible information environment for the judicial system; ensure the security of data, systems, equipment, and network; and safeguard public rights and interests.
This policy is based on the “Key Points for Information Security Control of the Executive Yuan and Its Subordinate Agencies” and has taken reference of the “Regulations Governing the Executive Yuan’s and Its Subordinate Agencies’ Information Security Control,” the ISO27001 standard for information security management system, and the MJIB’s requirements. It is intended to establish an information security control system, strengthen the protection for information security, and raise the standard of information security.
Principle of information security
Information security is considered everybody’s responsibility.
Definition of information security
The so-called information security refers to the application of control procedure and protection technology to all information operations—including software used in various information systems, hardware equipment, media for storing various information and data, and various productions of printers—for securing information collection, processing, transmission, storing, and circulation.
Scope of information security
Objectives of information security
Organization of information security
Principle of allocation of Information security responsibility
Principle for categorization, classification, and evaluation of assets
Class of unacceptable risks
After evaluation, assets are divided into different risk classes, and for those above the level unacceptable risk index, a “Risk Improvement Plan” shall be formulated as basis of supervision and control, and its execution shall be tracked to ensure thoroughness.
The MJIB will, in keeping with ISO27001 standards, demand a statement of applicability to document whether the control standards and measures are applicable and, if not, the causes for inapplicability. When the organizational structure, personnel, equipment, and physical environment change, the management review board shall redefine the applicability of control measures.