NYCU Regulations on Information Service Usage Fees Management National Yang Ming Chiao Tung University Regulations on Information Service Usage Fees Management Approved by the 5th administrative meeting of the 2023 Academic Year (March 27, 2024) 1. The Information Technology Service Center (hereafter, the Center) of the National Yang-Ming Chiao Tung University (hereafter, the University) is dedicated to providing a high-quality environment for the use of information services, and to complying with the Information Security Management Act and the related regulations on intellectual property rights. Based on the principle of user fees, the Center has formulated the regulations. 2. The information service usage fees are used for system development, software and hardware purchases and maintenance, and related personnel employment for the Center's information services. 3. Service Charges: Charges vary based on the service. For annual services, fees are calculated yearly; for new applications, the annual fee is prorated monthly. The fees standards are listed as follows: (1) Google Workspace Cloud Storage and Value-added Services A. Teacher Personal Service Plan item Fee Standard Note Basic Plan (20GB) Free Advanced Plan (100G) NT$2000/year Cloud Storage Add-ons Available only for Advanced Plan Personal Storage Space NT$1000/year per 100GB Shared Cloud Storage Space NT$1000/year per 100GB B. School Unit Storage Space Plan Item Fee Standard Basic Plan (200G) Free Cloud Storage Add-ons NT$2000/year per 100GB   (2) Microsoft M365 Cloud Storage and Value-added Services Item Fee Standard Note Basic Plan (20G) Free Advanced Plan (40G) NT$2000/year Cloud Storage Add-ons Available only for Advanced Plan Personal Storage Space NT$2000/year per 100GB (3) VPS Virtual Host Services Item Fee Standard Basic Configuration (1CPU, 2GB Memory, 40GB Disk Space) NT$6000/year Value-added Services Memory Upgrade NT$750/year per 1GB Disk Space Upgrade NT$500/year per 50GB CPU Upgrade NT$1500/year per 1CPU (4) DNS Domain Server Maintenance Item Fee Standard Single Domain Name Annual Fee NT$1000/year Self-managed Domain Annual Fee NT$5000/year   (5) GPU Services Item Fee Standard Notes A6000 NT$4000 per unit per week 1GPU/8CPU/180G RAM/600GB storage P100 NT$2000 per unit per week 1GPU/4CPU/90G RAM/600GB storage Value-added Services Additional Memory NT$100 per GB per week Additional Hard Disk Storage NT$50 per 100GB per week Additional CPU NT$200 per CPU per week (6) Server Room Colocation Services A. Hosting for administrative units is free of charge. B. Charging of other units a Level 1 server rooms  Room 503, Library Information and Research Building, Beitou Campus  Room 105, Teaching and Learning Building, Beitou Campus  Server room on the first floor of the Information Technology Service Center, Guangfu Campus Items Fee Standard High-speed computing server (GPU、HPC) NT$10000 /1U /year General server (include NAS) NT$6000 /1U /year Network switches and other equipment NT$3000 /1U /year High energy consuming equipment NT$25000 /1U /year b Level 2 server rooms  B14, Shou-Ren Building, Beitou Campus  Server room on the 9th floor of the Hsien-Che Building, Boai Campus. Items Fee Standard High-speed computing server (GPU、HPC) NT$8000 /1U /year General server (include NAS) NT$4000 /1U /year Network switches and other equipment NT$3000 /1U /year High energy consuming equipment NT$20000 /1U /year c The reference standard for high energy-consuming equipment refers to the total power consumption of a single machine exceeds 2000 watts. (7) Website construction services i. NYCU WEB blogs are free of charge. ii. cPanel Web Platform Items Fee Standard Basic annual website fee NT$1500 /year Increase website space NT$600 /10GB/year iii. Campus website co-construction platform Items Fee Standard Remarks Basic annual website fee Administrative and teaching units NT$3000 /year First-level administrative units can apply for one website free of charge. Research centers NT$6000 /year Other websites NT$8000 /year Self-provided SSL certificate Fee waiver NT$1000 /year Increase website space NT$600 /10GB/year (8) Microsoft Server and SQL Server Software License Services Items Fee Standard Windows Standard NT$2000 / per IP /year Windows Datacenter NT$10000 / per IP /year SQL Standard NT$30000 / per IP /year SQL Enterprise NT$90000 / per IP /year 4. Service application: Please refer to various information service management guidelines for application objects and service application periods. 5. Usage Guidelines: (1) The applicant shall comply with the various information service management guidelines in using the services. Services are intended for campus administration, academics, and research only. Commercial use is prohibited. Users must adhere to the regulations on the use of the campus network of the University, the regulations on the use of the Taiwan Academic Network of the Ministry of Education, the information security management system of the Center, as well as the regulations on the use of the National Information Security Management Acts. (2) In the event of a major information security incident or a major violation of the above regulations, the Center may immediately suspend the service. If no effective improvement is made within the period, the Center has the right to terminate the service directly. 6. The regulations and revisions thereof shall come into effect after receiving approval from the Administrative Meeting.

NYCU Information Technology Services Center’s Campus-wide Announcement Emails Delivery Service Guidelines 1 National Yang Ming Chiao-Tung University, Information Technology Services Center’s Campus-wide Announcement Emails Delivery Service Guidelines Approved at the Information Technology Service Center Supervisory Meeting of National Yang Ming Chiao Tung University, held on April 11, 2023. 1. Target Applicants: Limited to administrative units, primary teaching units, and primary research centers. 2. Service Description: 1) This service is primarily for campus-wide announcements. 2) There are four groups of recipients of announcement emails: "All faculty, staff, and students", "All faculty and staff", "All students", and "All full-time teachers". 3) The content of the mail should be related to the administrative business and should be relevant to the majority of faculty, staff, and students. If it is an event, promotion, or lecture specific to a particular audience, please use the campus announcements system (the campus announcements system sends an email notification to faculties, staff, and students once a day). 4) This service only delivers e-mail messages to the NYCU email accounts of faculties, staff, and students of NYCU. 5) Except for emergency or special announcements, the same email content should only be sent once. 6) If there are regular courses or activities every month, please integrate the event content and apply for delivery once a month. 7) Due to differences in the receiving habits of each user, please do not treat this service as the only means of communication, thus avoiding important notices being missed by faculties, staff, and students. 8) Please refer to the Information Technology Services Center website for the application process and detailed information about the services. 3. Delivery Method: 1) Self-sending by the unit: a) If the unit requires a large number of announcement emails, they can assign a person in charge to apply for an account and permissions to send these messages individually. b) The person in charge of the unit can use the unit's group account to send complete emails to the recipient group. After the Information Center reviews and approves the request, the email will be sent to the recipient's mailbox. If the content of the email is incorrect or does not comply with regulations, the Information Center will reject it and notify the person in charge of the unit. 2) Sent by the Information Technology Center on behalf of the unit: a) If the unit's demand for announcement letters is small, they can apply for the Information Center to send them on their behalf. 2 b) Except for emergency announcements, please submit the application two days before the scheduled sending date. Same-day requests for same-day delivery will not be accepted. 4. Mail content specifications: 1) The email content must include a subject, body text, the person in charge, and contact information. Please provide both Chinese and English versions (including the subject) to serve foreign faculty and students. 2) The body text cannot consist of only images and links (it will be treated as junk mail or scam mail). 3) The entire email (including attachments) should not exceed 1MB in size, and attachments should be provided with related links as much as possible to save delivery efficiency. If attachments must be sent with the email, please provide them in ODF or PDF format. 5. These Guidelines shall be implemented after being approved at the Information Technology Service Center Supervisory Meeting, and the same shall apply for any subsequent amendment.

NYCU Regulations Governing Information System Security National Yang Ming Chiao Tung University Regulations Governing Information System Security Approved at the fifth Administrative Meeting for the 2020¬–2021 academic year on June 2, 2021. Approved at the first meeting for the Information Security and Personal Data Protection Promotion Committee for the 2021–2022 academic year on June 20, 2022. Amended at the first Administrative Meeting for the 2021–2022 academic year on September 14, 2022. 1. The National Yang Ming Chiao Tung University Regulations Governing Information System Security (hereinafter referred to as “the Regulations”) were established by National Yang Ming Chiao Tung University (hereinafter referred to as “the University”) to maintain the confidentiality, integrity, and availability of the University’s information systems and to prevent malicious intrusions. 2. Divisions that intend to operate self-developed public information systems shall submit system development security documents and vulnerability scan reports related to their systems to the IT Service Center (hereinafter referred to as “the Center”). Systems approved by the Center and deemed not to be of high or medium risk can be officially launched. For each system that does not meet the criteria, the Center shall provide a vulnerability verification report to the system management unit and notify the unit of improvements that need to be made before the deadline. 3. Divisions that intend to outsource the development of their public information systems should require the outsource party to deploy sufficient and properly qualified and trained cyber security professionals who hold cyber security professional licenses or have similar business experience, in accordance with Article 4 of the Enforcement Rules of Cyber Security Management Act 4. Divisions that intend to outsource the development of their public information systems should evaluate potential risks prior to commissioning contractors for the development of information systems. Additionally, each division should sign off on the appropriate information security protocols with each contractor to ensure that the contractor complies with the relevant information security regulations of the University and assumes full responsibility for such compliance. Please see the additional clauses to the contractual responsibility of contractors related to information security (Appendix 1). 5. During the contracted period, the system authority of the contractor should be adequately monitored and revoked immediately upon completion of the contract period. 6. Each division should implement regular reviews of their self-developed or commissioned information system based on the principles of classification and the defense standards stated in the Regulations on Classification of Cyber Security Responsibility Levels. 7. The main information system of each division must be protected by a firewall or other information security infrastructure to monitor data transmission and access in external and internal networks and to prevent intrusion and destruction, tampering, deletion, and unauthorized access within the system. In addition, the applicability of the control policies for the firewall should be regularly reviewed. 8. The Regulations shall be implemented after approval by the Administrative Meeting. The same rule shall apply to all subsequent amendments.  Appendix 1: Additional clauses to the contractual responsibility of contractors related to information security Article 1: Contractors granted access to the websites, information services, and system maintenance (hereinafter referred to as “IT services”) of National Yang Ming Chiao Tung University (hereinafter referred to as “the University”) must comply with the information security regulations of both the University and its competent authorities. Article 2　Information security requirements of contractors: (1) Contractors should provide the University with a vulnerability scan report and system development security documents for review before handing over IT services. The IT Service Center of the University (hereinafter referred to as “the Center”) retains the right to randomly perform vulnerability scans, the criterion for which no high or medium risk should be detected. Contractors are recommended to use credible software for vulnerability scanning, such as Nessus, OWASP-ZAP, OpenVAS, or Acunetix. (2) Contactors should attach documents related to information security when handing over IT services. These documents should include a vulnerability scan report and system development security documents. The system development security documents should include contents related to the information security control functions of the IT system, including password hashing, account management, access control measures, separate frameworks for websites and databases, risk analyses and countermeasures, code security assessment, system backups, and restoration plans. (3) Contractors shall be held fully responsible for the information security of the software and all digital documents (e.g., those stored on USB drives or hard disks) handed over to the University. Therefore, contractors should inspect for malicious entities (e.g., worm viruses, Trojan viruses, spyware) and covert channels before handing over software or digital documents to the University. For the handing over of IT services, contractors must clear all testing-related data before uploading the services to the relevant official online environment. (4) Contractors shall comply with the Cyber Security Management Act of Republic of China and the requirements specified in the Regulations and make improvements in any areas where the regulations have not been met before the deadline. Failure to make such improvements shall result in an official notification from the University stating that the IT service in question shall be blocked or taken down. Violations to the requirements shall be handled according to the disciplinary measures specified in the contract. (5) During the maintenance period, contractors must comply with the requirement of conducting annual vulnerability scan tests to ensure that the IT system is not at high or medium risk of violation. In addition, website services must be protected through data encryption and pass the test of the Center before registration under the domain of the University. (6) All IT services handed to the University shall be subjected to regular auditing, vulnerability scanning, and penetration testing throughout the quality assurance and service period. If any anomalies are detected, the Center may take information security countermeasures, including auditing, vulnerability scanning, and penetration testing. The costs incurred from any such countermeasures shall be paid in full by the contractor. (7) If a contractor is required to perform maintenance or management of the host computer from an external source, the contractor must first submit an application to the Center. After evaluation and approval of said application by the competent authority, the contractor shall be granted access. (8) After a contract has been closed or terminated, all information related to the University held by the contractor during the service period shall be deleted or disposed. In addition, contractor shall sign the Personal Data Return and Destruction Affidavit Letter, and records of all such instances of deletion or disposal shall be retained. (9) All IT services provided by contractors (e.g., software or system development) must implement version management. Additionally, IT services shall provide access management and access record retention functions in accordance with the regulations related to information security. (10) Contractors shall retain records pertaining to the handling of anomalies for the Center to review if necessary. (11) If any changes occur among the personnel responsible for system development, contractors shall actively contact the University and return any borrowed equipment, software, or operational authority to the University. Article 3　Information security responsibility of contractors: (1) All contractors who engage in or handle IT services shall sign a non-disclosure agreement or affidavit and uphold their responsibility to maintain confidentiality. (2) All contractors must comply with the Personal Data Protection Act of Republic of China and the University’s regulations related to personal data protection to ensure the security of the University’s data and personal privacy data (e.g., data related to any person’s name, date of birth, ID Card number, features, fingerprints, marital status, family information, educational background, occupation, health conditions, medical records, financial status, community activities, phone number, or residency). If the University suffers damage or loss as a result of operational negligence on the part of an employee of the contractor, the contractor shall be held responsible for the damage or loss incurred (including any data leaked from websites managed by the contractor). (3) Regarding the occurrence of information security events during the service period of a contractor, the contractor must immediately notify the Center or the relevant competent authority, propose emergency countermeasures, and comply with the subsequent handling procedure(s). (4) If any of the IT services delivered to the University by the contractor involves the use of systems or resources that are not developed by the contractor itself, it shall be marked as not self-developed content and provide the source and its proof of authorization. In case of infringement the legal rights (e.g., intellectual property rights) of a third party, the contractor shall be responsible for handling and bear all legal responsibilities. Article 4　Other precautions: (1) If a contractor turns over any IT services or products to a subcontractor or subcontractors for support, the contract must specify the authority–responsibility relationship between the contractor and the subcontractor (as detailed in the contract wording or specified in the contract appendices) to assure the overall deliverable level of service quality of the contractor is achieved. Subcontractors must also comply with the Regulations. (2) If contractors must bring laptops or portable data storage media (e.g., floppy disks, CD-ROMs, USB drives, external hard drives) to use in the Center’s Computer Center, they must first receive the approval of the accompanying personnel responsible, and any employees of the contractor must be registered on the visitor list of the Computer Center. The visitor list of the Computer Center shall be regularly reviewed by the relevant competent authority.

NYCU Guidelines on Computers and Internet Communication Usage Fees for Students National Yang Ming Chiao Tung University Guidelines on Computers and Internet Communication Usage Fees for Students Approved by the 1st interim administrative meeting of the 2021 Academic Year (July 20, 2022) Article 1 The Guidelines for Charging Students for Using Computers and the Internet (hereafter the Guidelines) were formulated in accordance with Announcement No. 0970167294C from the Ministry of Education. Article 2 The Guidelines were formulated by the NYCU Information Technology Service Center (hereafter the Center) to provide a high-quality, stable Internet usage environment and to promote respect for intellectual property rights and the use of legal software through the user pays principle. Article 3 Computer and Internet communication usage fees are used to support and pay for the network-related expenses of NYCU, software licensing fees, school administration systems, and information technology research and instruction, other uses must be approved by the President. Article 4 Payment methods: (1) All NYCU students, including those in a Master’s program or an Industrial Master’s program, shall be charged NT$1,000 each for each semester of use. The fee shall be paid with the student’s registration fee. However, those who fulfill the following conditions are exempt from this requirement: 1. Off-campus interns: No fees shall be applied for students in full-time off-campus internships. 2. Students with special needs: No fees shall be applied for students with low household incomes, indigenous students, students with severe physical or mental disabilities, and the children of such students. (2) Exchange students who are abroad and do not need to use software authorized by the university may apply for exemption from paying the fees. Article 5 The income and expenditure specified in the Guidelines shall be managed as a special fund under the category of “Computer and Internet Communication Usage Fees.” Article 6 The Guidelines and revisions thereof shall come into effect after receiving approval from the Administrative Meeting.

NYCU Domain Management Guidelines National Yang Ming Chiao Tung University Domain Management Guidelines Approved at the Information Technology Service Center Supervisory Meeting of National Yang Ming Chiao Tung University, held on April 9, 2022. Amended at the Information Technology Service Center Supervisory Meeting of National Yang Ming Chiao Tung University, held on May 2, 2022. 1. Purpose: To serve as the basis for the Information Technology Service Center (hereinafter referred to as “the Center”) measures for the operation and institutionalized management of the domain services of National Yang Ming Chiao Tung University (NYCU). 2. The scope of domain name application: (1) Domain name classification: 1. First-tier domains (1) Eligibility: A. Primary units including administrative units, colleges, departments, graduate institutes, and divisions. B. Interdisciplinary or interuniversity research centers. C. Research centers and committees approved by the University Council Meeting. D. Units that have been approved by the University Council or the Secretariat office to represent NYCU in external affairs. (2) Domain name format: ◯◯◯.nycu.edu.tw 2. Second-tier domains (1) Eligibility: Student or faculty clubs, laboratories affiliated with faculty members, conferences, short-term activities, and secondary units affiliated with primary administrative units. (2) Domain name format: Club ◯◯◯.club.nycu.edu.tw Laboratory ◯◯◯.lab.nycu.edu.tw Conference ◯◯◯.conf.nycu.edu.tw Short-term activities ◯◯◯.act.nycu.edu.tw Other affiliated units ◯◯◯.◯◯◯.nycu.edu.tw (Primary units) (3) The relevant activities of the laboratory or unit belonging to the department can also be applied under the domain of the original unit, for example, a laboratory of the Department of Computer Science can apply for the domain name ◯◯◯.cs.nycu.edu.tw or ◯◯◯.lab.nycu.edu.tw. (2) For the naming of domains and other types of records, the name must not contain information that is controversial, indecent, inappropriate, or suggestive of the aforementioned types of information. (3) A unit, conference, or event can only be assigned one name, which can be a domain name or subdomain name; the relevant unit can apply for a change if necessary. (4) Domain name conflict handling principle: Conflicts are handled on the basis of the “first come, first served” principle. In the case of a dispute, the Center shall mediate and adjudicate. 3. Subdomain management authorization: (1) Eligibility: Units with information service personnel who are able to perform control and management of subdomains independently. (2) Authorization classification and responsibilities: 1. Self-management of servers provided by the Center. (1) Subdomain name: Please apply for a domain name according to Provision 2 of these Guidelines. (2) The administrator must be a currently employed faculty member who can log into the management interface to perform management operations. The Center cannot retrieve any records that have been erased by mistake. (3) The administrator should accept the Center’s education and training in and assessment of operational management capabilities. (4) The administrator should fulfill the management responsibilities and proactively notify the Center to change the administrator account in the case of administrator alteration. 2. Self-established DNS (1) The unit should be equipped with two or more DNS servers for configuration. The DNS servers should support DNSSEC, and EDNS support is recommended. The administrator should fulfill system management responsibilities, and the Center shall not be responsible for authorized DNS server installation, maintenance, and other related matters. (2) DNS service information security regulations: A. Comply with the Information Security Law of the Executive Yuan and be subject to regular ISO audits and verifications. B. Be subject to the Center’s regular vulnerability scans and other security checks. C. If a high risk is detected through the vulnerability scan, the administrator shall be notified. If the problem is not corrected within 1 month following the issuance of the notification for improvement, the unit supervisor shall be notified. If the problem is not corrected within 1 month following notification of the unit supervisor, the authorized domain shall be withdrawn. 4. Service application: (1) Application method: Please go to the DNS service application system (https://dnsreg.nycu.edu.tw/) and provide the relevant information to facilitate the completion of the online application process. (2) One contact person must be assigned for each domain name and must be approved by the unit director or advising professor. (3) Application for modification: 1. An application for modification should be submitted by the applicant. 2. Please submit the modification application using the DNS Service Application System at https://dnsreg.nycu.edu.tw/. 5. These Guidelines shall be implemented after being approved at the Information Technology Service Center Supervisory Meeting, and the same shall apply for any subsequent amendment.

NYCU Guidelines for Computer Classroom Management in the Information Technology Service Center National Yang Ming Chiao Tung University Guidelines for Computer Classroom Management in the Information Technology Service Center Approved at the 7th Administrative Meeting of the 2021 Academic Year (April 27, 2022) Article 1 The NYCU Information Technology Service Center (hereafter the Center) established the Guidelines for Computer Classroom Management in the Information Technology Service Center (hereafter the Guidelines) to maximize the benefits of its software and hardware equipment and thereby provide NYCU students with a satisfactory information-related learning environment and tools. Article 2 For venue information: Refer to the computer classroom service description on our website. Article 3 Regulations for reserving the classroom: (1) Applicants: NYCU faculty and students, participants or organizers in computer-related on-campus courses and activities, participants or organizers in computer-related courses offered by off-campus partners. (2) Venue fees: Applicants Fee plan Other Classrooms Computer Classroom 4 Classroom 401, Library, Information and Research Building Notes On-Campus Individuals or Organizations Hourly 1000 1500 2000 No charge is applied for reserving the classrooms for information-related courses listed on the Academic Affairs Office class schedule or for free administrative business courses promoted by NYCU administration. All other courses and activities must pay a fee in accordance with the specifications listed on the left. Available plans Half day/ Nighttime 3000 4500 6000 Full day 6000 9000 12000 Full day + Nighttime 8000 12000 16000 Off-Campus Individuals or Organizations Hourly 2000 3000 4000 All off-campus individuals and organizations must pay a fee in accordance with the specifications listed on the left. Available plans Half day/ Nighttime 6000 9000 12000 Full day 12000 18000 24000 Full day + Nighttime 16000 24000 32000 Article 4 Hours of operation The same as the hours of operation of the Center (applications for use during the holidays are accepted on a case-by-case basis). Article 5 Reservation prioritization: (1) Information-related courses listed on the Office of Academic Affairs class schedule. (2) Information-related courses hosted by on-campus organizations. (3) Information-related courses hosted by off-campus organizations. Should time conflict or other schedule coordination problems related to reserving the classroom occur, the Center reserves the right to make a final decision on the matter. Article 6 Reservation application procedures (1) Download the Classroom Reservation Application Form from the Center’s website. Fill in all fields in detail. Submit the application 7 days prior to the intended reservation date if any special equipment or software is required. (2) Submit the completed application form to the front desk of the Center for processing: 1. Yangming Campus: Classroom 509, Library, Information and Research Building 2. Chiaotung Campus: 1F, Information Center (3) Payment instructions: 1. No fee is required for information-related courses listed on the Office of Academic Affairs class schedule and for free administrative business courses promoted by NYCU administration for reserving the classroom. 2. For other information-related courses or activities, after the fee is calculated by the Center, payments can be submitted to the Cashier Division of the Office of General Affairs and the application form and receipt should be submitted to the front desk of the Center. 3. Failing to complete a payment within 3 days of the intended reservation date will result in the cancellation of the applicant’s reservation. Article 7 Refund procedures: (1) A full refund will be granted for cancellations prior to the date of reservation. However, if software installation has been entrusted to the Center in advance, a 20% maintenance fee will be deducted from the refunded amount. No refund will be granted for cancellations on the date of reservation. (2) To obtain a refund, the applicant should bring the original copies of their receipt and account information to the front desk of the Center. Article 8 Computer classroom use regulations Individuals and organizations reserving the computer classroom must abide by the following regulations: (1) To ensure the classroom remains quiet and clean, foods, drinks, smoking, loud noises, and leaving garbage behind are forbidden in the classroom. (2) Deliberate damage to or theft of machinery and equipment is forbidden. (3) Inappropriate use of the computers, such as for gaming or watching pornography, is forbidden. (4) Accessing, using, or copying illegal software or sound or video files that violate copyrights is forbidden. (5) The front desk should be notified of any problems encountered when using the computer facilities of the Center. Computer devices and peripherals should not be moved or dismantled without authorization. Individuals who cause loss of or damage to equipment due to misuse are subject to liability. (6) To protect intellectual property rights, downloading or installing unauthorized software on the classroom computers is strictly forbidden. (7) Installing software is forbidden without the permission of the Center. (8) After the classroom reservation period is finished, the classroom should be restored to its original state. (9) Users of the classroom should safeguard their personal belongings. The Center is not responsible for safeguarding them. Article 9 The Regulations and revisions thereof shall come into effect after receiving approval from the Administrative Meeting.

NYCU Campus Wireless Network Service Management Guidelines National Yang Ming Chiao Tung University Campus Wireless Network Service Management Guidelines Approved at the Information Technology Service Center Supervisory Meeting of National Yang Ming Chiao Tung University, held on January 7, 2022. 1. Purpose In response to the popularization of wireless network devices and the demand for diversified online teaching, National Yang Ming Chiao Tung University (hereinafter referred to as “the University”) has established this guideline to promote the institutionalization of campus wireless network service management, to assist all teachers and students in conducting teaching and academic-related research using network mobility services, and to achieve the effective use of resources. 2. Principles of wireless network establishment (1) To avoid the mutual interference of wireless network signals that affects the quality of use, the University uses a wireless central controller to manage the campus wireless network service. If any equipment affecting the operation of the service is identified, the University may take improvement measures to ensure the usage quality of the campus wireless network. (2) The University only installs and maintains the campus wireless network in some public areas, including the large international conference halls, student dining halls, campus outdoor public hotspots, and classroom areas. (3) Hotspot areas and public spaces of each unit may apply for wireless network services to be established if the following conditions are met: Unit Use of space Remarks 1. Teaching unit Meeting room (open to the public) Must have more than 20 seats 2. Teaching unit Common research room/reading room of the department Must have more than 30 seats 3. Teaching unit Hotspot (indoor public rest space) Must have more than 30 seats 4. Administrative unit Used for service purposes The peak number of users must be 20 users per day 5. Administrative unit Meeting room Must have more than 20 seats 6. Student dormitory Study room Must have more than 30 seats 7. Student dormitory Hotspot (indoor public rest space) Must have more than 30 seats If the requesting unit does not meet the scope described in the list when applying for the campus wireless network service, the University shall provide a wireless access point license and technical assistance, and the remaining installation and maintenance costs (such as the wireless access point, PoE switch, and wiring installation) shall be paid by the requesting unit. (Note: The wireless access point model purchased by the requesting unit must be compatible with the University’s wireless network controller). (4) The Information Center shall mark relevant areas with the logo “National Yang Ming Chiao Tung University Wireless Network Service Area” to indicate that the Information Center is responsible for maintaining the quality of the service. (5) The University has the right to dynamically change the campus wireless network service area according to the demand for the wireless network service. 3. Application and management principles of wireless access point authorization (1) Eligibility: Units not included in the scope of services described in Provision 2 of this guideline that intend to be included in campus wireless network control for the purpose of teaching and research. (2) Application process: The requesting unit must complete the “Information Service Application Form” according to the actual scope of use, including information on space location, usage, and purpose, and submit the application to the Information Technology Service Center after the department/college supervisor has approved the application. (3) Management principle: If the authorized wireless access point is not used within 6 months after verification by the monitoring system, the authorization for the wireless access point shall be withdrawn, and a new application must be submitted when the need arises. (4) The requesting unit can purchase a wireless access point license that conforms to the University’s wireless network controller and request the University assist in its maintenance and management. 4. Wireless network service targets and usage instructions The University offers the following four authentication methods (for details, please refer to the instruction on the Information Technology Services Center website): (1) NYCU: Students, faculty members, and staff can use their personnel ID or student number for personal authentication for the campus wireless network service. Users are required to keep their account IDs and passwords secure to avoid unauthorized use by others. (2) NYCU-Seminar: To apply for a shared account for the campus wireless network service for academic seminars and activities, host or co-host organizers must complete the “Information Service Application Form” and submit the application with the approval of the department/college supervisor. (3) NYCU-Guest: Temporary accounts are available for off-campus visitors, with access granted through SMS. For information security and convenience reasons, the University only provides web browsing service for visitors. (4) eduroam: Staff, students, and alumni of the University can use their personnel ID or student number for authentication. Because the interuniversity roaming service has an access service for the connection unit of the roaming centers of other universities, for information security reasons, only web browsing service is provided. 5. Wireless network maintenance and abnormal usage response guidelines (1) If a user experiences usage problems within the wireless network service scope, as detailed in Provision 2 of these Guidelines, the user can report the problem to the University’s Information Center, and the Information Center shall provide subsequent assistance to resolve the problem. (2) If a wireless network service area is to be established in any university building, the following requirements must be met: 1. The SSID setting must be different from the campus wireless network SSID (e.g., NYCU, NYCU-Seminar, NYCU-Guest, and eduroam). 2. If the private wireless access point has affected the use quality of the campus wireless access point in the building, the University or the unit’s network administrator has the right to request the relevant user to make improvements or to remove the private wireless access point entirely. 3. If the private wireless access point is involved in an information security incident, the user must adhere to the University’s processing and investigation process. If the situation cannot be resolved, the University also has the right to request the relevant user to remove the private wireless access point. (3) If abnormal usage occurs in the environment of a private wireless access point, the user must contact the network administrator of the unit first to solve the problem by themselves. If the network administrator of the unit cannot solve the problem, the unit can report to the Information Center of the University for assistance. 6. Use of the campus wireless network must comply with “National Yang Ming Chiao Tung University Campus Network Use Regulations.” 7. These guidelines shall be implemented after they have been approved at the Information Technology Service Center Supervisory Meeting and sent to the President for approval, and the same shall apply for any subsequent amendment.

NYCU Enforcement Rules of Personal Data Protection National Yang Ming Chiao Tung University Enforcement Rules of Personal Data Protection Passed on September 28, 2021, at the 1st meeting of the Information Security and Personal Data Protection Committee for the 2021–2022 academic year 1. To regulate the collection, processing, and use of personal data; promote the reasonable use of personal data; and prevent the theft, tampering, damage, loss, and leakage of personal data, National Yang Ming Chiao Tung University (NYCU) hereby establishes the National Yang Ming Chiao Tung University Enforcement Rules of Personal Data Protection. The enforcement rules were formulated in accordance with NYCU’s Regulations Governing Information Security and Personal Information Protection. 2. Terminology definitions: A. Personal data: Information such as the person’s name, date of birth, ID Card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, sex life information, health examination results, criminal records, contact information, financial conditions, and social activities that can be used to directly or indirectly identify the individual. B. Personal data files: Person data file are files stored in paper or electronic format. Electronic personal data files include files and information system database files stored in personal computers. 3. All units shall assign staff members to serve as personal data protection staff, who are responsible for managing and compiling the personal data files of the unit. These files may be subject to subsequent audits. 4. Personal data file content that is inspected: A. At least once a year, all units shall perform personal data inspections, personal data updates, and risk assessments by using the personal data inspection checklist provided by the IT Service Center. B. Personal data file inspections are conducted to identify high-risk personal data. Such data may include: (1) Special personal data as defined in the Personal Data Protection Act (2) Personal financial information (3) ID Card number (4) Information that reveals an individual’s vulnerable status (5) Detailed descriptions of personal characteristics (6) Information that negatively affects an individual C. Personal data file inspections include inspections of items such as data usage and data flow. D. Personal data file risk assessments evaluate the importance of reference materials and examine and assess the security risks of current data and the risks of such data being used in acts that violate the law. 5. During the collection, processing, or use of personal data, appropriate notification methods shall be applied unless otherwise stipulated by the law. When personal data are used for purposes other than that for which they were obtained, a check shall be conducted to determine whether the written consent of the parties involved for such use has been obtained, whether such use improves public welfare, or whether such use benefits the rights and interests of the parties involved. The following is a list of the types of information that shall be conveyed to the parties involved: A. Names of schools or institutions B. Purpose of information collection C. Personal data type D. The time, locations, targets, and methods pertaining to the use of personal data E. The parties involved are exercising their rights to collect, process, or use personal data in accordance with Article 3 of the Personal Data Protection Act. F. The possible infringement of the parties’ rights and interests if they choose not to provide personal data. 6. The personal data (e.g., medical records, healthcare data, genetic data, sex life information, health examination results, and criminal records) of an individual that can be used to directly or indirectly identify the individual shall not be collected and processed unless the consent of the individual has been obtained or the law stipulates otherwise. If the personal data of an individual are used for academic purposes, the data shall be properly handled such that they cannot be used to identify the individual. 7. Units that use information systems or cloud information services (e.g., questionnaire survey services that use Google Forms and Microsoft Forms) for administrative purposes that involve the collection of personal data shall pay attention to the following: A. Data collection minimization: Only appropriate, relevant, and necessary personal data that meet the established objectives for data collection can be collected. During the processing and use of such data, they may not be used outside the scope of the established objectives, and data processing and use shall correspond to the objectives of data collection. B. Access control: Attention shall be paid to file access authorization settings, and the principle of least privilege shall be adopted. That is, a user is only granted the authorizations necessary for completing their assigned tasks and completing objectives. C. A user who uses cloud information services shall read the setting content carefully and refrain from jointly editing personal data files with another individual. Additionally, a user shall refrain from granting to another individual the authorization to view the responses of other individuals (e.g., they shall not check the “Show summary charts and responses of others” box) to prevent other users from accessing user data, thereby causing a personal data leakage. Prior to the release of any information services, relevant settings shall be checked, operational tests shall be performed. D. Transmission confidentiality: Internet transmission shall be encrypted using HTTPS and TLS version 1.2 or newer. E. Data storage security: During the collection of personal data or other sensitive personal data as defined in Article 6 of the Personal Data Protection Act, such data shall be stored in an encrypted form. F. To avoid personal data leakage, a personal data storage period shall be set and collected personal data shall be deleted or destroyed at the end of the storage period or when the related operations have been completed. 8. All units shall assign specific staff members to manage and maintain the personal data stored in shared computers or automated equipment. 9. For non-routine operations or cross-unit data circulations that are being performed for the first time, a unit shall fill out the Data Usage Application form. 10. For the saving, transmission, and backing up of personal data that require encryption, appropriate encryption mechanisms should be adopted during the collection, processing, or use of such data. For information that is intended for the parties involved, care shall be taken to ensure that the files containing such information do not contain the personal data of any uninvolved parties and that the information is provided to the correct data recipients. Hence, provision of information to unrelated individuals can be avoided. 11. If a written document or website announcement made by a unit contains the ID Card number of an individuals, the last 4 digits of the number must be concealed. 12. Personnel who process personal data shall use the email system provided by NYCU to transmit and encrypt these personal data files. They are prohibited from transmitting or disclosing personal data files through tools other than those provided by NYCU (e.g., instant messaging software, external web-based electronic devices [e.g., Webmail], peer-to-peer [i.e., P2P] software, Tunnel-related tools, cloud storage tools [e.g., Dropbox], social networking sites, blogs, public forums, and other Internet forms). 13. A user shall destroy the personal data stored in media such as paper, floppy disks, magnetic tapes, CD-ROMs, microfilms, and integrated circuit chips when the media are disposed of or used for other purposes. The user shall also fill out the Personal Data Destruction Record or Personal Data Transfer Termination Record. 14. During the collection, processing, and use of personal data, a trustor shall specify in a procurement contract the monitoring, information-security clauses, confidentiality, and disposal clauses that pertain to breach of contract. Additionally, a trustor shall manage the authority of outsourced and external personnel to access information and introduce personal data management processes. After a period of entrustment, a trustor shall return the accessed personal data to NYCU and sign the Affidavit for the Return and Destruction of Personal Data. 15. Appropriate monitoring measures shall be taken during the collection, processing, and use of the personal data provided by a trustee: A. The scope, type, objective, and duration of collecting, processing, or using a trustee’s personal data shall be determined. B. Appropriate security and maintenance measures shall be taken by a trustee. C. When a trustee is appointed for a re-entrustment, the appointed trustee shall be identified. D. When the Personal Data Protection Act or contractual terms have been violated or breached, a trustee shall take remedial measures to resolve the issues disclosed by a trustor. E. Issues not disclosed by a trustor to a trustee. F. When an entrustment relationship is terminated or rescinded, a trustee shall return the personal data of a trustor and delete the personal data that were stored. 16. Technical management measures: A. Authentication mechanisms (e.g., account names and passwords) should be applied to computers, related equipment, and systems. A password should contain both uppercase and lowercase English letters and numbers and at least 8 digits. A password must be changed regularly, and the effectiveness of the authentication mechanisms must also be tested regularly. B. Antivirus software must be installed on computers, and virus patterns must be updated in real time. C. A computer operating system shall be maintained and updated, and the necessity of updating application software shall be evaluated. D. Screensaver and password lock prompts shall display within 15 minutes when a computer is idle. E. No file sharing software shall be installed on computers that control user access. F. The usage status and personal data access status of information systems that process personal data shall be checked regularly. G. A unit shall implement the necessary access controls on the basis of its work content, work environments, the personal data type and quantity that are involved, and it shall manage personal data storage media in appropriate locations and by applying the appropriate methods. 17. The following records should be maintained to allow for an inspection of personal data protection to be conducted: A. Personal data delivery and transmission records. B. Personal data accuracy records and revised records. C. Records of parties exercising their rights. D. Records of changes to the authority of affiliated personnel (i.e., adding, changing, or removing their authority). E. Records of personal data deletions, destructions, and transfers. F. Records detailing the prevention, reporting, and processing of personal data protection incidents. G. Records of backups and restoration tests. 18. All units shall follow internal audit schedules and fill out the personal data management internal audit checklist. 19. The staff of all units shall complete the relevant education and meet the training hour requirements imposed by the competent authority. 20. These enforcement rules are in effect after they are passed at the meeting of the Information Security and Personal Data Protection Committee; the same shall apply to any amendments hereto.

NYCU Operating Procedure for Suspected Infringement of Intellectual Property Rights on Campus National Yang Ming Chiao Tung University Operating Procedure for Suspected Infringement of Intellectual Property Rights on Campus Approved in the management meeting of the NYCU Information Technology Service Center on July 30, 2021 Article 1 Objective In the current era of information and communication technology advancement, computers, the Internet, and technology have brought convenience to people’s daily lives. Most people use digital methods to input, collect, process, store, and use data. The ubiquity of digital data has made computers and the Internet both the target and tools of criminal activity. To protect the works and research of NYCU from being stolen, suspected infringements must be urgently addressed. The NYCU Information Technology Service Center (hereafter referred to as “the Center”) herein stipulates the procedure for dealing with such incidents to ensure the protection and management of the intellectual property rights of NYCU. Article 2 Principles of fair use of online intellectual property rights The use of computers and the Internet is governed under the regulations of Copyright Act. All information, including texts, pictures, animations, audio materials, videos, and computer programs, transmitted online are protected under the Copyright Act. Therefore, Internet users must be aware of the regulations of the Copyright Act. The actions of accessing and using information online through browsing websites is justifiable. However, Internet users must note that behaviors, including uploading, downloading, reposting, forwarding, pasting, editing, transmitting, printing, modifying, and scanning, are strictly regulated under the Copyright Act. When online operators or managers intend to upload publicly accessible information, they must pay attention to whether the sharing of the work is authorized by the copyright owner. Because uploading involves storing information on a hard disk drive of an online server, this act involves the reproduction of the information, thereby constituting the possible infringement of copyright. Article 3 Scope The present procedure applies to all the faculty and students of NYCU. The scope includes administrative units, academic units, dormitory networks, research centers, the Center for Industry–Academia Collaboration, and NYCU FTTB. Article 4 Project work 1. Sessions for promoting intellectual property rights (twice per year) Lawyers or legal scholars are invited to promote relevant laws. The foci of such promotion sessions are topics related to the “use of online intellectual property rights” and “infringement behavior and legal responsibility in the use of P2P software.” The target audience is the faculty and students of NYCU. 2. Intellectual property rights quizzes with prizes (annually) Online quizzes with prizes are established to enhance students’ understanding of intellectual property rights. The quiz items include topics related to the Copyright Act, Patent Act, Trademark Act, and Trade Secrets Act. The items shall relate to daily scenarios. The target audience is the faculty and students of NYCU. Article 5 Procedure for handling the suspected infringement of intellectual property rights on campus 1. The Center receives reports of suspected cases of the infringement of intellectual property rights. The report sources include the Ministry of Education TANet suspected infringement of intellectual property rights reporting website, letters from the police, reports from the Department of Information and Technology Education, and reports from other units outside NYCU. 2. The Center identifies the unit associated with the given internet protocol (IP) address (including administrative units, academic units, dormitory networks, research centers, the Center for Industry–Academia Collaboration, and NYCU FTTB). 3. The Center reports the suspected infringement to the primary supervisors and information security managers of the Center. 4. The Center submits a report to the primary supervisors or network engineers of the relevant unit. 5. The Center composes and submits an official letter to the relevant unit for collaborative processes. 6. The relevant unit identifies the IP user and the host location and reports the case to the advisor or laboratory director. 7. The IP may be blocked immediately depending on the severity of the case, and the digital evidence is preserved. 8. The Center supports the relevant unit in engaging in internal investigation, evidence collection, evidence preservation, evidence examination, and evidence analysis. 9. After the investigation process, the IP user must be informed that their behavior infringes on intellectual property rights. If the user admits to violating intellectual property rights, they must complete the Reply Form for Processing the Infringement of Intellectual Property Rights and sign an affidavit of confession of judgment. 10. If the user denies violating intellectual property rights, the unit network engineer shall record, preserve, and submit the evidence to prosecutors for further processing. 11. If the reported IP address is confirmed to be associated with the infringement of intellectual property rights, the user of the address who violates NYCU Campus Intellectual Property Rights Regulations for the first time and whose infringement is considered to be mild shall have their IP address blocked for 2 weeks. Recurrent infringement shall lead to the blocking of the IP address for 1 month, and the violator shall be punished according to National Yang Ming Chiao Tung University Student Reward and Punishment Guidelines. 12. If any illegal behavior is involved, the Center shall support the relevant unit in preserving and submitting relevant investigation evidence and records to prosecutors for further processing. The court shall summon the user for interrogation. Article 6 Internet use must comply with NYCU Campus Network Use Regulations (approved in the fifth administrative meeting in the academic year of 2020 on June 2, 2021) Internet users shall respect intellectual property rights and must not engage in any of the following behaviors: 1. Using unauthorized computer software. 2. Illegally downloading and replicating works protected under the Copyright Act. 3. Uploading copyrighted works on publicly accessible websites without the consent of the copyright owner. 4. Arbitrarily reposting articles from online forums in which the author clearly states that reposting is prohibited. 5. Using websites or P2P tools to make copyrighted works publicly accessible. 6. Engaging in other behaviors relating to the infringement of intellectual property rights. Article 7 According to ISO27001 Information Security Management, the Center shall provide security examination record forms for all units of NYCU. In each semester, the Center cooperates with unit-affiliated network engineers to audit information security and intellectual property protection measures without a fixed schedule.

NYCU Campus Network Use Regulations National Yang Ming Chiao Tung University Campus Network Use Regulations Approved at the 5th Administrative Meeting of National Yang Ming Chiao Tung University, held on June 2, 2021. 1. To ensure the campus network can support teaching, research, administrative, and online learning activities, to promote respect for the rule of law, and to provide a basis for Internet users to follow, National Yang Ming Chiao Tung University (hereafter referred to as “the University”) has established the Campus Network Use Regulations (hereinafter referred to as “the Regulations”) in accordance with the “Campus Network Use Regulations” issued by the Ministry of Education. 2. Internet users must avoid the following behaviors, which may constitute the infringement of intellectual property rights: (1) Use of unauthorized computer programs. (2) Illegal downloading and copying of works protected under copyright law. (3) Uploading of protected works on a public website without the consent of the copyright owner. (4) Arbitrary reproduction of articles that have been expressly prohibited from being reproduced by the author on social media, bulletin boards (BBS), or an online discussion forum. (5) Establishment of website for the illegal downloading of protected works by the public. (6) Performance of other actions that may involve the infringement of intellectual property rights. 3. The abuse of the network is prohibited, and the network users are not allowed to engage in the following behaviors: (1) Spreading of computer viruses or other programs that interfere with or disrupt the functionality of the system. (2) Unauthorized interception of network transmission messages. (3) Unauthorized use of network resources through hacking, stealing, or unlawfully accessing other users’ accounts and passwords. (4) Lending of your account to someone else for no reason, or disclosure of someone else’s account and password for no reason. (5) Hiding of accounts or use of fake accounts. This does not apply to anonymous users who have been given express authorization for such actions. (6) Viewing of others’ emails or related computer information. (7) Misuse of network resources in any way, including the mass transmission of advertisements, chain letters, or useless information through e-mail, the flooding of mailboxes, and the plundering of resources, with the purpose of affecting the normal operation of the system. (8) Dissemination of fraudulent, defamatory, insulting, obscene, disturbing, or illegal software transaction information or other illegal information through e-mail, online chat, BBS, or similar means. (9) Engagement in nonteaching and non-research-related or illegal activities using campus network resources. (10) Disclosure of official, confidential information. 4. To implement procedures described in these regulations, the division of labor and management of network-related matters are as follows: (1) The University’s perimeter network and backbone network connecting each unit are managed by the Information Technology Service Center (hereinafter referred to as “the Information Center”). (2) The internal network of each unit (including teaching, administrative, and non-establishment units) shall be managed by the unit. A management mechanism shall be established for the allocation and use of internal network addresses. (3) Each unit shall assign network management personnel to provide network management services within the unit. The scope of the power and responsibilities of network management personnel is as follows: 1. The IP address of each unit must be applied for by the unit’s network management personnel through completion of the “Information Service Application Form.” Applications for IP addresses must be submitted to the Information Center for review after the applying unit’s network administrator has compiled all of the unit’s completed application forms. 2. The network management personnel of each unit are responsible for the allocation and management of the issued IP addresses, and accurate user information such as the name, unit, location, contact number, and mailbox of the IP users must be logged. Updates of information must be provided in the case of any change. 3. If the network management personnel of a unit change, the “Network Management Personnel Change Notice” form must be completed to notify the Information Center to update network management personnel information. The form must also be given to the network management work unit to facilitate network maintenance. 4. For IP addresses with special purposes (e.g., for a server, NAT router, or experimental test host), an application must be submitted. The “IP Whitelist Application Form” must be completed, and the information must be logged accurately. 5. The responsibility for managing and promoting Internet use and related regulations must be fulfilled. 6. Personnel must attend the network management staff meeting held by the Information Center. 7. Personnel must participate in information security training and pass network management and information security inspections every academic year. 8. The “Information Security and Intellectual Property Rights Management Inspection Record Form” must be completed regularly. (4) The Information Center has the right to redistribute the IP addresses of each unit according to the actual usage rate of each unit’s IP addresses. (5) To ensure the proper allocation of network resources, the management unit has the right to appropriately segregate and control network traffic. (6) For users who consume a large amount of network resources for no reason or who exhibit abnormal network traffic that affects the normal operation of the network, the management unit may activate traffic control measures or suspend the user’s right to Internet use. The network connection shall only be restored after confirmation that the user’s Internet usage behavior has normalized. (7) All types of application servers (including electronic BBS and websites) shall be managed and maintained by dedicated personnel. The personnel in charge may suspend a user’s right to use a website if the user violates the rules of website use. (8) If users identify any defects or loopholes in system security, they should notify the management unit as soon as possible. (9) To reduce security threats to the University’s information system, traffic from the off-campus network (not an internal IP address of the University) shall be blocked, except for those services that are already open to the public. If other open services are required, an application must be submitted. (10) Restricted internal administrative campus information systems are to be linked and accessed only from internal campus IP addresses or through the University’s virtual private network. (11) The use of P2P software is prohibited in principle on the campus network, but applications may be submitted if such software use is required for academic, teaching, and other special activities. However, if the use of P2P software affects the campus network service, such software shall be blocked. (12) The Information Center shall provide a security checklist for use by all units on campus and shall conduct information security and intellectual property protection audits each semester with the cooperation of the respective network administrators. 5. Internet users must be aware of any suspected security threats to ensure the safety of Internet use. All information security incidents reported through the Ministry of Education Information and Communication Security Contingency platform and official correspondence shall be handled according to the following principles: (1) If the IP address reported through the information security notification platform of the educational institution is verified, and if the violation is minor, the IP address shall be blocked for 2 weeks; if the violation is more serious or a repeated violation, the IP address shall be blocked for 1 month, and a punishment in accordance with the University’s reward and punishment regulations shall be administered. (2) In the case where an official letter is sent by the prosecutor or police, the University does not have the authority to investigate the case. Hence, if the University perceives a need to investigate the case, it shall request the prosecutor or police officer to provide a search warrant to ensure the University’s cooperation with the investigation. 6. Users who violate the network usage rules shall be disciplined according to the following conditions: (1) For a user who presents an immediate threat or disruption to network use, the network connection of the user exhibiting abnormal activity shall be blocked immediately, and the network administrator or the supervisor of the unit to which the user is affiliated shall be notified. The user or the unit’s network administrator must report the situation to the Information Center within 1 week of noticing or receiving notification of the problem. After confirming that the problem has been resolved, the Information Center administrator shall lift the network ban. (2) For a user who does not present an immediate threat or disruption to network use, the user or the network administrator of the unit to which the user is affiliated shall be notified of any abnormal usage behavior. The network management personnel must complete the investigation, counseling, and improvement or the disposal of the notification report within 3 days after receiving the notification and report to the Information Center regarding the handling of the situation. If details of ongoing procures to rectify the situation are not sent to the Information Center within another 3 days, the Information Center may block the network connection of the user exhibiting abnormal activity. 7. Network administrators should respect personal privacy rights and may not arbitrarily view users’ personal data or violate their right to privacy, except in one of the following situations in which device administrators or users must cooperate in providing necessary system permissions: (1) For the maintenance or inspection of system security. (2) To obtain evidence or investigate misconduct on the basis of reasonable suspicion of a violation, as detailed in Article 2 and 3 of these Regulations (regarding respect for intellectual property rights and the prohibition of abuse or interference with network systems). (3) For cooperation with the investigation of the judicial authorities, if an off-campus unit must investigate a crime, the chief secretary of the University should be notified in advance, and the relevant legal letter (credentials) should be presented. After receiving notification from the University Secretariat, each unit shall provide relevant information in accordance with the “Guidelines Governing the Cooperation of Taiwan Academic Network Connection Units to Prevent Cybercrime,” “Personal Data Protection Act,” and “Civil Servant Work Act.” (4) To obtain relevant information to facilitate timely prevention of and rectifying measures in the case of an emergency (e.g., major changes in life or property). (5) To perform other actions in accordance with the laws of Taiwan. 8. Internet users who violate these regulations shall be subject to the following penalties: (1) Temporary suspension of network resources (IP blocked for 1 week). (2) In serious cases, the suspension of Internet resources shall be extended, and the student shall be punished in accordance with the University’s regulations and related reward and penalty regulations. (3) In the event that the user being penalized in accordance with the preceding two articles commits another law violation, the perpetrator shall be held legally responsible in accordance with Taiwan’s civil laws, criminal laws, copyright laws, or other relevant laws and regulations. 9. These Regulations shall be implemented after their approval at the University’s Administrative Meeting, and the same shall apply for any subsequent amendment.

NYCU Regulations Governing Information Security and Personal Information Protection National Yang Ming Chiao Tung University Regulations Governing Information Security and Personal Information Protection Approved at the fifth Administrative Meeting for the 2020–2021 academic year on June 2, 2021. 1. To maintain information security and protect personal information, National Yang Ming Chiao Tung University (hereinafter referred to as “the University”) established the National Yang Ming Chiao Tung University Regulations Governing Information Security and Personal Information Protection (hereinafter referred to as “the Regulations”) to enhance security management for information assets; ensure the confidentiality, integrity, availability, distinguishability, and non-repudiation of these assets; and support faculty and students in ensuring the protection of their personal information with respect to the application of information systems to meet specific operation demands. 2. The Regulations, including ancillary requirements established based on them, were created by referencing the Cyber Security Management Act, the Personal Data Protection Act, the Copyright Act, and the Classified National Security Information Protection Act; information security management regulations established by the Executive Yuan and affiliated agencies; Directions Governing Information Security in Educational System; and other relevant regulations and standards. 3. The Regulations apply for all informational assets and information users associated with the University. Information users must adhere to the Regulations; those who violate the Regulations shall be penalized according to relevant laws. 4. The Vice-President of the University shall be appointed by the President to serve as the Information Security Manager and shall be responsible for supervising the implementation of information security and personal data protection policies in the University. Additionally, an executive secretary shall be appointed to assist the Information Security Manager in this regard. 5. To ensure that the information security and personal data protection tasks of the University are executed, an Information Security and Personal Data Protection Committee (hereinafter referred to as the “the Committee”) shall be established as an interdisciplinary division. The Committee is responsible for the planning, coordinating, and drafting of information security and personal data protection policies and plans, as well as resource allocation and the execution of relevant tasks. The Committee members shall comprise the Vice-President, Secretary General, Dean of Academic Affairs, Dean of Student Affairs, Dean of General Affairs, Dean of Research and Development, Dean of International Affairs, Curator, Director of the Center of Environmental Protection and Safety and Health, Director of the Personnel Office, and Director of the Accounting Office, as well as one representative from NCYU School of Law and the Director of the IT Service Center, who shall be appointed as the ex officio committee member. The Committee members shall convene for at least one management and evaluation meeting annually, with the Information Security Manager serving as the convenor. 6. The University shall establish an Information Security and Personal Data Protection Task Group. The members of this group shall comprise senior operators of the IT Service Center, individuals in charge of core operational tasks, and second-level executives of core operational divisions. This task group shall be responsible for the planning, execution, and auditing of information security and personal data protection operational principles. The Director of the IT Service Center shall serve as the convener of this task group. 7. In accordance with the Cyber Security Management Act and Personal Data Protection Act, the IT Service Center shall establish the National Yang Ming Chiao Tung University Cyber Security Management Act and Personal Data Protection Implementation Regulations to govern policies, goals, and core operations related to information security and personal data protection. The regulations shall be implemented after approval by the Committee, and the same rule shall apply to all subsequent amendments. 8. The University shall conduct information security and personal data protection education training and promotion to improve faculty and students understanding of information security and personal data protection. 9. The Regulations shall be reviewed regularly to reflect the most recent relevant standards, technologies, and operational conditions. 10. The Regulations shall be implemented after approval by the attendees of the Administrative Meeting. The same rule shall apply to all subsequent amendments.