Website Security Policy of Nantou County Scenic Area Management Office Website

The "Nantou County Government Website" (hereinafter referred to as "this website") is dedicated to ensuring the security of your data as well as the data of this website. In accordance with the spirit of the "Personal Data Protection Act," the following website security policy has been formulated to explain the practices of this website in terms of information and communication security.

1. A. Scope of Policy

   The following website security policy applies to the collection, use, and protection of personal information related to your browsing on this website. However, it does not apply to links to other websites hosted on this website. When you click on links to other websites, the website security policy of those respective websites will apply.

2. B. Information Access Control
   • Establish system access policies and authorization regulations, and inform employees and users of their relevant rights and responsibilities through written, electronic, or other means.
   • For departing (or retiring) employees, their ownership of all information resources' access rights should be immediately revoked, and necessary procedures should be taken upon their departure (or retirement). In cases of personnel role adjustments or transfers, their access rights should be adjusted within the stipulated period according to the system access authorization regulations.
   • Establish a system user registration management system and enhance user password management. The update cycle for user passwords should not exceed six months as a general principle.
   • For departing (or retiring) employees, their ownership of all information resources' access rights should be immediately revoked, and necessary procedures should be taken upon their departure (or retirement). In cases of personnel role adjustments or transfers, their access rights should be adjusted within the stipulated period according to the system access authorization regulations.
   • Establish a system user registration management system and enhance user password management. The update cycle for user passwords should not exceed six months as a general principle.
3. C. Website Security Measures and Standards
   • Any attempt to upload or modify the services and related information provided by this institution without authorization is strictly prohibited and may constitute a violation of the law. For the purpose of website security and to ensure the continued service for all internet users, this website provides the following security protection measures:
   • Points of connection with external networks are equipped with firewalls to control data transmission and resource access between external and internal networks, and rigorous identity verification processes are implemented.
   • Network intrusion detection systems are utilized to monitor network traffic and identify unauthorized attempts to upload or modify web information, as well as deliberate acts of sabotage.
   • Antivirus software is installed and regular virus scans are conducted to provide users with a safer browsing environment.
   • System backup facilities are established, and necessary data and software backups and recovery operations are regularly carried out to ensure swift restoration of normal operations in the event of disasters or storage media failures.
   • Periodic simulations of hacker attacks are performed to practice system recovery procedures in the event of security incidents and to provide appropriate levels of security defense.
   • Confidential and sensitive data or documents are not stored in publicly accessible information systems. Confidential documents are not transmitted via email.
   • Automated receipt of security maintenance email notifications from relevant operating system or application vendors is carried out, and appropriate patch installation is performed based on the recommendations in the emails.
   • The transmission of internet data cannot guarantee 100% security. This website will strive to protect both the website itself and your personal information. In some cases, a standard SSL security system is employed to ensure the security of data transmission. However, due to factors related to your internet security, we cannot guarantee the security of data you transmit or receive from this website. Please be aware of and bear the risks associated with transmitting data over the internet. Understand that any consequences arising from this are beyond the control of this website.
4. D. Security Management of Firewalls
   • The firewall includes network service forwarding servers (such as proxy servers) to provide forwarding and control of services like Telnet, FTP, and WWW.
   • The firewall is the hub of the entire network for this institution. Backup sets should be reserved for both the firewall host and software for potential needs.
   • The firewall system of this institution routinely records network activities. The recorded log data should include at least the date, time, start and end IP addresses, communication protocol, and other relevant information of the events, facilitating routine management and future audit operations.
   • The logs of the firewall maintained by this office are reviewed and analyzed by firewall administrators to detect any abnormal situations. These log files should be retained for at least one year.
   • Access to the firewall host of this office is restricted solely to system terminal access, and any other forms of access are prohibited, ensuring the security of the firewall host.
   • The security control settings of the firewall in this office should be regularly reviewed and adjusted as necessary to ensure the achievement of the intended security control objectives.
   • Regular data backups are performed for the firewall system of this office, and only local backups are allowed; backup methods involving networks or other means are not permitted.
   • The software of the firewall system in this office is frequently updated to address various network attacks.
5. E. Data Backup Operating Principles
   • Backup of important data should be maintained with a principle of at least three generations.
   • Backup data should have appropriate physical and environmental protection, with security standards as closely aligned as possible with those of the primary operational location. Security measures for computer media in the primary operational location should be applied to the backup operational location as much as possible.
   • Regular testing of backup data should be conducted to ensure the availability of backup data.
6. F. Data Recovery Operating Principles
   • During data recovery operations, consistency and integrity of the data are checked first.
   • For website data recovery, barring sudden major incidents or factors such as the inability to restore the hosting data center or network operations, data should be restored to normal within 24 hours. Backup data should be maintained with the most recent and complete data for up to two days. Following data recovery, both programs and databases should be immediately enabled and operational.
   • Regular testing of backup data should be conducted to ensure the availability of backup data.
   • After the completion of data recovery operations, relevant personnel should continue to observe the system for three days to ensure normal operation and the accuracy of newly added data.
7. G. Due to the rapid advancement of technology, the incomplete nature of relevant regulations, and unforeseeable environmental changes in the future, this website may need to modify the explanations of the provided information security policy on the website in order to reinforce the safeguarding of network security. When modifications to the website's information security policy are completed, we will promptly publish them on the website and use prominent markers to remind you to go and read them.
8. H. If you have any questions or opinions regarding the above terms, please feel free to contact us through the contact information provided on this website.