In order to ensure the security of information assets and smooth information operations of the ministry, the following information security policy has been formulated to which all units and personnel must adhere. The content of the information security policy is in alignment with the Information Security Management Directions for the Executive Yuan and its Subordinate Agencies, the Enforcement Rules of the Personal Data Protection Act, as well as the operational objectives of the ministry.

1. Regulations for information security and management should comply with government information security-related policies, regulations, and legal requirements.
2. All measures related to information operations should ensure the confidentiality, integrity, and availability of environmental protection business data and prevent the leakage and loss of sensitive information and personal data of individual users.
3. Information assets (including software, hardware, network communication facilities, and databases, etc.) should be adequately protected, with appropriate backup and recovery measures and operations in place, so as to prevent unauthorized access or damage caused by operational negligence. Regular drills of the aforementioned backup and recovery operations should be conducted.
4. Information security incidents and potential vulnerabilities should be promptly reported and addressed according to appropriate procedures, and appropriate investigations and actions should be taken.
5. Regular information security education and training should be provided, and awareness of the information security policy should be enhanced.
6. This policy applies to all units and personnel of the ministry (including contract employees, substitute military service personnel, authorized remote units, on-site personnel from partner companies) and information assets (including information facilities located in the ministry’s office buildings, commissioned vendors, and research institutions).
7. Units and personnel that violate this policy or engage in any activities that endanger the information security of the ministry will be subject to applicable procedures or legal actions.
8. This policy should be reviewed and assessed annually to reflect changes in government regulations, technological developments, and business requirements, in order to implement effective information security operations.