Chapter IV. Security Management Measures
Article 19
To prevent personal information from being stolen, tampered, damaged, destroyed, leaked, or otherwise violated, the clearinghouse shall adopt management measures under Articles 20 to 23 in accordance with the characteristics of business, workstation to access personal information, categories and quantity of personal information, and tools and methods used for transmitting personal information.
Article 20
The clearinghouse shall adopt the following personnel management measures:
1.Designating employees to take charge of the processes for collecting, processing and using personal information respectively (hereinafter “ respective operation ” ).
2.Setting different priorities of access authority for respective operation and putting it under control, managing access authority by using a specific authentication mechanism, and regularly reviewing the appropriateness and necessity of the access authority ’ s priorities set.
3.Requiring all relevant staff to observe related obligation of confidentiality.
Article 21
The clearinghouse shall adopt the following operation management measures:
1.Setting instructions for the respective operation.
2.Setting rules for the use of portable storage media when computer and relevant apparatuses are used for processing personal information.
3.Determining whether encryption is necessary for the storage of personal information, and if it is necessary, adopting proper encryption mechanism.
4.Determining whether encryption is necessary for the transmission of personal information in terms of the mode of transmission used, and if it is necessary, adopt- ing proper encryption mechanism and verifying the information accuracy of recipient.
5.Evaluating whether it is necessary to make a backup copy of personal information in accordance with the importance of information retention, and if it is necessary, saving a backup copy of such information; Determining whether encryption is necessary for the backup information, and if it is necessary, adopting proper encryption mechanism; keeping proper care of media for storing backup information and conducting restore testing regularly to ensure the validity of the backup information.
6.Ensuring to properly delete information stored in the media or destroy the media physically before the media storing personal information are transferred to other people or disposed.
7.Properly preserving the passwords used in authentication mechanism and encryption mechanism, and taking proper actions when it is necessary to give such passwords to other people.
Article 22
The clearinghouse shall take following management measures for its physical environment:
1.Implementing necessary access control in accordance with the difference of respective operation.
2.Keeping proper care of the storage media for safeguarding personal information.
3.Installing necessary disaster prevention equipment for different environment of the respective operation.
Article 23
The clearinghouse shall adopt following technical management measures when it uses computers or relevant apparatuses for collecting, processing or using personal information:
1.Setting up authentication mechanism on computers, or relevant apparatuses or systems, and conducting identification and control for the staff authorized to access personal information.
2.When the authentication mechanism involves account name and password, ensuring the mechanism has certain degree of sophistication in terms of security, and changing the password regularly.
3.Setting up alerts and relevant response mechanisms on the computers, or relevant apparatuses or systems to properly react to and handle abnormal access activities.
4.Carrying out identity authentication on terminals that provide access to personal information for identification and control purposes.
5.Setting the quantity and scope of access authority for personal information within the extent necessary for the respective operation; sharing access authority for the respective operation not allowed in principle.
6.Using firewalls or routers to prevent unauthorized access to systems stored with personal information
7.Ensuring the users to have access authority in using application programs that can access personal information.
8.Testing the effectiveness of access authentication mechanism regularly.
9.Examining regularly whether the setting of personal information access authority is proper.
10.Installing anti-virus software in the computer systems that process personal information and updating the virus code regularly.
11.Installing patches for loopholes in computer operating systems and related programs regularly.
12.Assessing the threat of malware regularly and ensuring the stability of the computer systems after installing anti-virus software and patch programs.
13.No file-sharing software installed on terminals with access authority.
14.No using real personal information in testing the information system for processing personal information; stating clearly the using procedure if real personal information is used.
15.Ensuring the level of security not to decline when there is change in the information system for processing personal information.
16.Checking the using records of information system for processing and accessing personal information regularly.