規則辦法

國立雲林科技大學資通安全暨個人資料保護推動委員會 Guidelines for Information Security and Personal Data Protection Promotion Committee Setup

國立雲林科技大學資通安全暨個人資料保護推動委員會
設置要點

103.10.21 103 學年度第2 次行政會議通過
109.11.10 109 學年度第3 次行政會議通過
112.12.26 112 學年度第4 次行政會議通過
114.03.25 113 學年度第7 次行政會議通過

一、本校為落實資通安全及個人資料之保護與管理，依據「資通安全管理法」及「個人資料保護法施行細則」相關規定，設置資通安全暨個人資料保護推動
委員會（以下簡稱本委員會），並訂定本要點。

二、本委員會由校長指派一名副校長、主任秘書、教務長、學生事務長、總務長、研發長、國際事務長、產學長、圖資長、各學院院長、諮商輔導中心中心主任、推廣教育中心中心主任、語言中心中心主任、環境安全科技中心中心主任、校務發展中心中心主任、體育室主任、稽核室主任、人事室主任、主計室主任、永續發展與社會實踐研究中心中心主任、精密儀器中心中心主任、通識教育中心主任組成，並由副校長擔任召集人（資通安全長/個資管理長），圖資長為執行秘書（資通安全官/資料保護長）。

三、本委員會任務如下：

(一)本校資通安全及個人資料保護制度之審議。
(二)本校資通安全及個人資料盤點與風險評鑑管理作業督導。
(三)本校資通安全及個人資料保護教育訓練督導。
(四)其他本校資通安全及個人資料保護管理規劃及執行事項之審議。

四、本委員會每學年召開一次，必要時得召開臨時會議，開會時得邀請相關單位人員列席。

五、本委員會設置資通安全暨個人資料保護執行小組（以下簡稱本小組），統籌各項資通安全暨個人資料保護作業原則規劃事宜，並得視需要向本委員會提
出報告。本小組視業務推動之需要得召開會議；必要時得邀請相關單位人員列席。由本委員會執行秘書擔任召集人，各一級行政單位與各學院須指派一人為本小組必要成員，其並兼任該單位資通安全及個人資料保護專責人員，其他相關單位由召集人指定之。

本小組任務如下：
(一)資通安全及個人資料保護意識提升計畫，主辦單位為圖書資訊處，協辦
單位為人事室，其職掌如下：
1.資通安全及個人資料保護觀念宣導。
2.資通安全及個人資料保護教育訓練。

(二)資通安全及個人資料保護制度訂定由圖書資訊處負責，其職掌如下：

1. 訂定資通安全及個人資料保護政策。
2. 訂定資通安全及個人資料保護管理要點。
3. 規劃稽核計畫。
4. 選任稽核人員。
5. 執行稽核教育訓練。
6. 執行稽核計畫。
7. 設置「個資保護聯絡窗口」，供當事人提出行使關於個人資料之權利相關之申訴與諮詢申請，再轉交相關業務單位處理與執行。
8. 研擬個人資料外洩之處理資通安全緊急應變作業處理程序。
9. 研擬資通安全及個人資料風險評鑑與管理作業。

(三)法規、法令符合性之諮詢由本校法律顧問及科技法律諮詢中心協助。

(四)資通安全及個人資料資訊保護由各單位負責，其職掌如下：

1. 執行資通安全及個人資料保護管理要點。
2. 紀錄資通安全及個人資料保護運作情形。
3. 定期執行資通系統及個人資料盤點與風險評鑑作業。
4. 配合參與教育訓練。
5. 配合資通安全及個人資料內部稽核作業。
6. 其他本校資通安全及個人資料保護須配合事項。

六、本要點經行政會議通過，陳請校長核定後實施，修正時亦同。



Approved in the 2nd Administrative Meeting of the 103rd Academic Year on October 21, 2014
Approved in the 3rd Administrative Meeting of the 109th Academic Year on November 10, 2020
Approved in the 4th Administrative Meeting of the 112th Academic Year on December 26, 2023
Approved in the 7th Administrative Meeting of the 113th Academic Year on March 25, 2025

1. To implement information security and personal data protection and management, the university has established the Information Security and Personal Data Protection Promotion Committee (hereinafter referred to as the "Committee") under the relevant regulations of the "Information Security Management Act" and the "Personal Data Protection Act Implementation Rules." These guidelines are set forth to regulate the committee's functions and operations.

2. The Committee is composed of the following members, appointed by the president: one vice president, the secretary general, the dean of academic affairs, the dean of student affairs, the dean of general affairs, the dean of research and development, the dean of international affairs, the dean of industry-academia cooperation, the director of the library and information services, the deans of all colleges, the director of the counseling center, the director of the continuing education center, the director of the language center, the director of the environmental safety and technology center, the director of the campus development center, the director of physical education, the director of the audit office, the director of human resources, the director of the accounting office, the director of the sustainability and social practice research center, the director of the precision instruments center, and the director of the general education center. The vice president serves as the convener (Information Security and Personal Data Protection Officer), and the director of the library and information services serves as the executive secretary (Information Security Officer/Data Protection Officer).

3. The responsibilities of the Committee are as follows:

(1) Review the university's information security and personal data protection systems.
(2) Supervise the inventory and risk assessment management of the university's information security and personal data.
(3) Supervise the education and training of information security and personal data protection.
(4) Review other planning and implementation matters related to the university's information security and personal data protection.

4. The Committee shall meet once per academic year and may convene extraordinary meetings if necessary. Relevant personnel from other departments may be invited to attend meetings.

5. The Committee establishes an Information Security and Personal Data Protection Task Force (hereinafter referred to as the "Task Force"), which is responsible for coordinating the planning of information security and personal data protection operations. The Task Force may report to the Committee as needed. The Task Force may hold meetings as required by the progress of the business and may invite relevant department personnel to attend. The executive secretary of the Committee serves as the convener, and each administrative unit and college must appoint one member to serve as the necessary member of the Task Force, who also serves as the information security and personal data protection officer for the unit. Other relevant personnel will be designated by the convener.

The tasks of the Task Force are as follows:

(1) Raising awareness of information security and personal data protection, led by the Library and Information Services Division, and assisted by the Human Resources Office, with the following duties:

1. Promote the concepts of information security and personal data protection.

2. Provide education and training on information security and personal data protection.

(2) Establishing information security and personal data protection systems, led by the Library and Information Services Division, with the following duties:

1. Formulate information security and personal data protection policies.

2. Formulate guidelines for information security and personal data protection management.

3. Plan audit procedures.

4. Select audit personnel.

5. Conduct audit education and training.

6. Execute audit plans.

7. Establish a "Personal Data Protection Contact Point" for individuals to file complaints or requests for consultations regarding their personal data rights, which will then be forwarded to the relevant departments for handling.

8. Develop emergency procedures for handling personal data breaches and information security incidents.

9. Develop risk assessment and management procedures for information security and personal data.

(3) Consultation on compliance with laws and regulations will be assisted by the university's legal advisors and the Technology Law Advisory Center.

(4) Information security and personal data protection by departments: Each department is responsible for:

   a. Implementing the information security and personal data protection management guidelines.

   b. Documenting the operations of information security and personal data protection.

   c. Regularly conducting information system and personal data inventory and risk assessment operations.

   d. Participating in educational training.

   e. Cooperating with internal audits on information security and personal data protection.

   f. Cooperating with other tasks related to the university's information security and personal data protection.

6. These guidelines shall be implemented after being approved by the Administrative Meeting and ratified by the President. Any revisions will follow the same process.