Information Security Management Measures

MCUT coordinates with the Ministry of Education annually to handle relevant matters, including "Regulations on the Notification and Response of Cyber Security Incidents," "Operating Procedure for Cybersecurity Notification and Response of Schools at Different Levels under Taiwan Academic Network," and cybersecurity notification and practice plans formulated by the Ministry of Education each year. Additionally, in accordance with "Operating Provisions on Classification of Cyber Security Responsibilities Levels," MCUT engages in operations related to information security incident drills such as information security health diagnosis and penetration tests. To safeguard the confidentiality, integrity, availability, and regulatory compliance of the core business information system and relevant information assets of the university and achieve the goals of "Improving Information Security Management System, Providing Safe and Effective Services, and Assuring Sustainable Business Operation," we hereby establish an "Information Security Policy" for observation. Moreover, MCUT has established an Information Security Committee and an information security management organization and formulated an Information Security Policy. The responsibilities of the committee and the organization include deliberation and planning of information security policy, education and training plans, and promotion of the implementation of the information security management system, as well as other relevant matters, aiming to realize the goals of "Improving Information Security Management System, Providing Safe and Effective Services, and Assuring Sustainable Business Operation." Through the establishment of the said information security management organization, MCUT will promote information security management and ensure the security of its information systems and business.

The organization's main responsibilities are designated as follows: The Chief Sustainability Officer oversees and guides the implementation of relevant policies, leads meetings, and coordinates relevant affairs. The Information Security Representative assists in holding meetings, coordinating affairs, and presiding over daily operations. The Information Security Execution Team formulates policies, provides education and training, and assists in inventory-taking and risk management. The Information Security Audit Team conducts internal audits, project reviews, and evaluates implementation status. Business management units must adhere to relevant regulations and coordinate accordingly. Since 2008, the information management department has proactively implemented the Information Security Management System (ISMS) and developed the Information Security Policy and risk management mechanism. The department has planned to verify the version change of ISO 27001: 2022 in July 2024. From 2023 to 2026 (2023: Administration; 2024: Teaching; 2025: Research Centers; 2026: Comprehensive implementation), there are plans to expand ISMS practices university-wide and conduct internal audits at least once a year.

Information Security Incident Drills and Notification Mechanism

Every year, MCUT collaborates with the Ministry of Education to manage various issues related to cybersecurity. This includes dealing with regulations such as the "Regulations on the Notification and Response of Cyber Security Incident" and the "Operating Procedure for Cybersecurity Notification and Response of Schools at Different Levels under Taiwan Academic Network." MCUT also participates in cybersecurity notification and practice plans established by the Ministry of Education annually. In addition, in compliance with the "Operating Provisions on Classification of Cyber Security Responsibilities Levels," MCUT is involved in activities related to information security incident drills, such as information security health diagnosis and penetration testing.

We adhere to the "Operating Procedure for Cybersecurity Notification and Response of Schools at Different Levels under Taiwan Academic Network" in the reporting of information security incidents on the education organization's notification platforms. MCUT has established a privacy protection appeal process to address personal data grievances, complaints, and disclosure incidents. In the event of an information security incident, timely notification within 1 hour and comprehensive resolution within 36 hours are required. Once an information security incident is resolved, the case closure will be announced on the notification and response website, and the handling process and incident completion time will be documented. Importantly, in 2023, there were no major information security incidents or confirmed privacy or personal data disclosure complaints.

Information Security Education and Training

The fundamental goal of information security is to safeguard the systems of units and ensure their safe use. Educational processes related to information security typically involve long-term training and education. For the purpose of enhancing the awareness of information security among the faculty and staff of the university, MCUT consistently organizes information security education, training, and advocacy activities each year. These activities cover topics such as knowledge on information security, introduction to attack models, recent major information security incidents, and other relevant issues. Throughout these activities, numerous real-life cases are shared to provide participants with a clear understanding of the basic concept of information security, in order to prevent potential problems.