Home > About > Cybersecurity Policies Area

Cybersecurity Policies Area

Organization-wide ISMS

In order to provide customers with more secured and reliable services, Environmental & GeoInformatic Technology Co. Ltd. introduced Information Security Management System (ISMS) throughout the organization, and was certified by ISO/IEC 27001:2013 Information Security Management System.

ISO27001Certificate
ISO/IEC 27001:2013 Certificate

Cybersecurity Policy

I. Objective

In order to safeguard the confidentiality, integrity and availability of proprietary information assets of Environmental & GeoInformatic Technology Co. Ltd. (hereinafter referred to as “the Company”), to comply with related legal requirements, and to protect data privacy of users from intentional or unexpected threats, either from outside or within the organization, the Company integrated cybersecurity objectives of departments at all levels, and established an overall cybersecurity policy objective as the following:

  1. 1. Protect the Company's business information from unauthorized access, and ensure confidentiality.
  2. 2. Protect the Company's business information from unauthorized modification, and ensure correctness and integrity.
  3. 3. Establish a sustainable operation plan for information related matters to ensure business continuity of the Company and availability.
  4. 4. Ensure compliance by observing legal requirements in relation to business operation.

II. Scope of application:

This policy applies to the staff, contractors and visitors of the Company. These personnel must abide by the policy and regulations governing the operation practices related to cybersecurity.

In order to prevent misusing, leaking, tampering, or damaging data resulted from negligence, intentional malpractices or natural disasters, which may impose various potential risks and hazards to the Company, cybersecurity management system governs related matters based on the following procedures in addition to Statement of Applicability, Document Management Procedure, Cybersecurity Audit Management Procedure, and Correction and Prevention Management Procedure:

  1. 1. Formulation and Evaluation of Cybersecurity Policy (Cybersecurity Policy, Cybersecurity Objective Management Procedure, Organization Panorama Analysis Procedure)
  2. 2. Cybersecurity Organization (Cybersecurity Organization Management Procedure)
  3. 3. Cybersecurity education and training for personnel (Human Resources Security Management Procedure)
  4. 4. Classification and control of important information assets (Information Asset Management Procedure)
  5. 5. Risk identification and control (Cybersecurity Risk Management Procedure)
  6. 6. Access control security (Access Control and Password Management Procedure)
  7. 7. Physical and environmental security (Physical and Environmental Security Management Procedure)
  8. 8. Operation security management (Operation Security Management Procedure)
  9. 9. Network security management (Network Security Management Procedure)
  10. 10. Security of information acquisition, development and maintenance (System Development and Maintenance Management Procedure)
  11. 11. Supplier service management (Supplier Relationship Management Procedure)
  12. 12. Response and treatment of cybersecurity incidents (Cybersecurity Incident Management Procedure)
  13. 13. Sustainable business operation management (Business Continuity Management Procedure
  14. 14. Compliance of the Company's policies with related laws and regulations (Compliance Management Procedure)

III. Powers and Responsibilities:

In order to implement the Company's cybersecurity policy, the division of powers and responsibilities is as the following:

  1. 1. The Company established a Cybersecurity Committee. The General Manager is an ex officio member of the committee and also the Chief Information Security Officer (CISO). The committee coordinates, manages and reviews the Cybersecurity Policy, plans, operations, and resource allocation.
  2. 2. A cybersecurity taskforce was established as a subordinate to the Cybersecurity Committee. A management representative of the taskforce would be appointed by the CISO. The taskforce drafts and amends management procedure documents at all levels in accordance with cybersecurity requirements of the Company, and maintain effective operation of the Company's cybersecurity management system. Results of cybersecurity works should be reported to the Cybersecurity Committee for management and review at least once a year.
  3. 3. Each unit of the Company should follow relevant cybersecurity regulations formulated by the cybersecurity taskforce.
  4. 4. The staff and contractors of the Company, and system network users outside of the Company's offices should follow the Company's Cybersecurity Policy and relevant management regulations.
  5. 5. Anyone whose conducts might jeopardize cybersecurity shall bear civil and criminal responsibilities according to laws, and face administrative punishments in accordance with relevant regulations of the Company.

IV. Definition

Not applicable.

V. Operation Procedure

1. Review:

The policy should be evaluated and reviewed at least once a year to comply with the requirements of national laws and regulations, and reflect the development trends of ICT technology, so to ensure the effectiveness of the Company's cybersecurity management.

2. Implementation:
  1. 1. The effectiveness and results of the Cybersecurity Policy should be reviewed regularly every year in accordance with the time when the Cybersecurity Committee convenes for a meeting.
  2. 2. The Company should follow the Cybersecurity Objective Management Procedure (I-2-05) every year, and use Cybersecurity Objective Effectiveness Measurement Form (I-2-05-01) to measure and audit the performance of cybersecurity objectives regularly, and also the effectiveness and appropriateness of the policy objectives of each department at each level in the Company, as well as the overall policy objectives.
  3. 3. The company should regularly conduct an organization panorama analysis by using Organization Panorama Analysis Identification Form (I-2-19-01) according to the Organization Panorama Analysis Procedure (I-2-19) to identify external and internal issues that might affect the organization's ability to deliver the expected results of the cybersecurity management system, and understand the needs and expectations of stakeholders.
  4. 4. The company should define and regularly audit the Statement of Applicability (I-1-02) of the cybersecurity management system every year, including reviewing the scope of application of the cybersecurity management system, items to be included in or excluded from cybersecurity control measures, and the validity and appropriateness of reasons of doing so.
  5. 5. This policy is implemented after being approved by the Cybersecurity Committee of the Company. Amendments of the policy takes effect based on the same procedure.

VI. Forms and Related Documents:

1. Related documents:
  1. 1. Cyber security management documents at all levels of the Company
2. Forms:
  1. 1. Organization Panorama Analysis Identification Form (I-2-19-01)
  2. 2. Cybersecurity Objective Effectiveness Measurement Form (I-2-05-01)
  • Version:1.0
  • Release Date:2021/01/01
back to top