1. Policy Statement
In order to protect the information assets of NIIEPA's core business from damage, loss, unauthorized disclosure, and exposure prohibited by law caused by external threats and internal abuses, NIIEPA therefore creates this Information Security Policy (hereinafter Policy) and requires all employees and contractors to diligently protect information as appropriate for its sensitivity level.

2. Purpose
To protect and secure the information assets under NIIEPA's supervision from falsification, unauthorized disclosure, sabotage, and loss due to external and internal threats. The information assets aforementioned include but not limited to personally identifiable information, financial data, computing systems, equipments, research, and other information considered sensitive.

3. Scope of Application
This Policy governs NIIEPA's management of information assets. It applies to NIIEPA employees and contractual partners.

4. Definition
The three key concepts of information security are:
(1) Confidentiality: to ensure only authorized users have access to information to prevent data leakage.
(2) Integrity: to keep information accuracy intact by preventing unauthorized changes and following standard procedures of information processes.
(3) Availability: to guarantee reliable access to the information by authorized people.

Depend on the nature of certain business practice, four additional principles should be included. They are authenticity, accountability, non-repudiation and reliability.
(4) Authenticity: to ensure proper user identity verification for information access.
(5) Accountability: to ensure that the actions of an entity may be traced uniquely to that entity, which can be held responsible for its actions.
(6) Non-repudiation: to guarantee that an operation or event on informatiom system has taken place by specific entity, so that this cannot be repudiated later.
(7) Reliability: to establish consistent intended behaviour and results in each operation.

5. Roles and Responsibilities
(1) The Information Security Supervision Unit of NIIEPA is in charge of the verification and amendments of the Policy.
(2) All NIIEPA employees and contractual partners must comply with the Policy.

6. Goals
(1) Ensure the accuracy and integrity of NIIEPA's business information to improve administraive efficiency and quality.
(2) Ensure the usability of information equipments in NIIEPA to fulfill the requirements of information service.
(3) Maintain the confidentiality of NIIEPA's business information to protect classified business and privacy information.
(4) Assist the government in implementing information security policy to enhnace information security protection.
(5) Effective risks management for a sustainable future.

7. Measuring Indicators of Information Security
To achieve the abovementioned goals, NIIEPA has divided measuring indicators into two sets. One is quantitative and the other qualitative. These indicators are investigated and discussed in the annual management review meeting.

(1) Quantitative indicators:

• To ensure that the time in which the information service is available accounts for 98% of the total office hours per year.
• To ensure that the operation outage due to information security incidents, abnormal incidents and other security breaches is less than five times per year and eight working hours per time.
• To ensure that all information security measures and standards conform to current legal requirements and undergo review at least once per year.
• To maintain and test the feasibility of business continuity plan. Test must be performed at least once per year.
• To provide all NIIEPA employees with information security training relevant to their positions and responsibilities at least once per year.
• To perform information assets risks assessment at least once per year.

(2) Qualitative ndicators:

• To ensure that information assets are properly protected by enforcing internal controls and prohibiting unauthorized access.
• To ensure that no information is disclosed to unauthorized third parties whether by accident or on purpose during information relay.
• To ensure that all unexpected information security incidents and vulnerabilities are reported to corresponding units, and are properly investigated and rectified in a timely manner.
• In case of major changes in operating environment, reassessment of the information security management system and its protocols is required.

8. Information Security Roles & Responsibilities
(1) The Information Security Supervision Unit (the Unit) of NIIEPA is responsible for the development, deployment, and amendment of the Policy on a regular basis. The Unit should conduct a review meeting with the management team to examine, update, and make necessary changes to the Policy in order to meet legal requirements and business challenges.
(2) NIIEPA's top management should proactively support the Unit in the develoipment and implementation of the Policy.
(3) NIIEPA shall provide all employees with mandatory periodic information security training so as to raise their awareness and improve their expertise in information security.
(4) NIIEPA staff must comply with the Information Security Incident Response Protocol to file report on security incidents and vulnerabilities.
(5) Failure to comply with the Policy may subject the individual to disciplinary measures.
(6) All third-party contractors of NIIEPA must sign confidentiality agreement and comply with this Policy and its protocols. Violation of the Policy may subject the contractor to discipline by NIIEPA, and criminal or civil liability.

9. Amendment and Announcement of the Policy
The Unit makes amendment of the Policy on an annual basis to fulfill new legal requirements, and/or to reflect changes of organization and services. The amended policy will be implemented by the Unit and released on the Website once it is approved by NIIEPA CEO.