Skip to main content
Search
12/06 (Fri) 02:24 (GMT+8)
Airplane in the sky

Security Policy

Main Content

Foreword:

This policy is defined by the Kaohsiung International Airport (hereafter referred to as “the Airport”) to ensure the security of all Airport information, information systems, equipment and networks. All Airport employees are asked to follow this policy.

Purpose:

To maintain the information managed by the Airport secure from internal, external, malicious and accidental threats or damage that may lead to the unauthorized alteration, publication, destruction or loss of business information.

Objectives:

The ultimate objective of the Airport’s information security policy is, through sound management of personnel, operations and information technologies, to ensure the safe and effective operation of the Airport’s information processing operations, the safeguarding of the public interest and the enhancing of confidence in information services. With all employees working together, the following objectives may be achieved:

 

(1) Ensure the usability and completeness of information so the information system can operate normally on a continuous basis.

(2) Ensure the confidentiality and correctness of information to safeguard the general public’s privacy rights and the quality of the information system.

(3) Prevent intrusion or damage caused by hackers and viruses as well as accidents caused by malicious or illegal behavior.

Scope:

This policy applies to all employees, contract employees, assigned personnel, outsourced services suppliers, third-party personnel and the management of all matters related to information asset security.

Content: This Policy covers the following:

The copyright of all information (including graphics and text) on the KIA Website belongs to the Kaohsiung International Airport (excluding the external websites linked to by the KIA Website).

 

(1) Information security organization and responsibilities.

(2) Information asset management.

(3) Human resources security management.

(4) Physical asset and environment security management.

(5) Communications and operations management.

(6) Access control.

(7) Acquisition, development and maintenance of information systems.

(8) Information security incident management.

(9) Operational continuity management.

(10) Compliance management.

Management Indicators:

(1) To facilitate the implementation of information security in the Airport, a security information organization is to be established with clearly defined roles and responsibilities.

(2) The Airport’s information assets should be regularly audited, categorized and classified.

(3) An appropriate information risk evaluation method should be defined for the Airport and a risk management plan developed in accordance with the results of the evaluation.

(4) An Airport information security monitoring, reporting and response mechanism should be established to ensure an immediate response to information security incidents.

(5) Define an operational continuity plan with regular tests and rehearsals carried out to ensure that the Airport’s information services are uninterrupted.

(6) Organize information security education and training every 6 months to familiarize employees with their role’s information security responsibilities.

(7) This policy shall be reviewed at least annually against regulatory and supervisory requirements on information security as well as on technological and operational changes. The policy should be amended as necessary to ensure the feasibility and effectiveness of actual information security practices.

(8) An Airport employee found to be in violation of information security regulations is to be handled with under the Civil Aeronautics Administration’s incentives and punishment regulations. Anyone found to have violated Article 2 of the Public Functionaries Discipline Act, is to be handled in accordance with Article 19 of the same law. Those suspected of having violated criminal laws shall be referred to the law enforcement agencies for investigation; if the matters involve national compensation, responsibility should be determined in accordance with the State Compensation Act and related laws. Where a person not employed at the Airport violates the information security regulations, both civil and criminal liabilities should be pursued in accordance with the law.

(9) This policy takes effect upon its approval, with amendments also taking effect upon approval.

Basis:

(1) Classified National Security Information Protection Act.

(2) Computer Processed Data Protection Act.

(3) Regulations on Information Security Management of the Executive Yuan and all Subsidiary Organizations.

(4) Guidelines on Information Security Management of the Executive Yuan and all Subsidiary Organizations.

(5) Civil Aeronautics Administration Information Security Management Regulations.

Basis:

(1) Guidelines for the Setup of an Information Security Management Organization.

(2) Guidelines for Information Asset Management.

(3) Guidelines for Human Resources Security Management.

(4) Guidelines for Physical Asset and Environment Security Management.

(5) Guidelines for Communications and Operations Management.

(6) Guidelines for Access Control Management.

(7) Guidelines for the Acquisition, Development and Maintenance of Information Systems.

(8) Guidelines for Information Security Incident Management.

(9) Operational Continuity Plan.

(10) Internal Audit Plan.

Amendment and Publication of the Information Security Policy:

Appropriate amendments should be made to this Policy on an annual basis or in response to organizational, operational, legislative or environmental changes. It should then be submitted to the director for approval before publishing and implementation.

menu