Information Security Risk Management
1. Information Security Risk Management Framework
The responsible unit for information security of the company is the Information Center and Information Security Office, the unit has designated information security supervisor and professional staff responsible for stipulating, planning, promoting and enforcing information security policy for the company. The unit supervisor is also responsible for regularly reporting the implementation status of information security policy to the Board of directors at least once annually. The actual implementation of information security management for 2023 has been reported to the board of directors on December 13th, 2023.
2. Information Security Policy
A. All employees of the company must adhere to the company’s information security policy management regulations to ensure the confidentiality, integrity, and availability of the company’s information assets, achieving the goal of sustainable operation.
B. The company’s information security policy content includes: device usage, traditional document, media storage device, access control, software usage, wireless networks, physical environment and security, account password and keys, system development and maintenance, email and communication software, supplier and personnel appointment, information security incident management and information security penalties.
3. Specific Management Plans
A. Compliance with laws and adoption of international information security certification standards to implement information security management regulations, strengthen the handling capabilities of information security incidents, and protect the assets of the company and customers.
B. Joining information security collaborative organizations to share information security intelligence and engage in “cybersecurity collaboration”.
C. Deploying new-generation firewalls to provide high-threat protection and effectively blocking hackers from illegal intrusion.
D. Installing intelligent antivirus software on server and endpoint computer equipment, with virus definitions updated automatically by the system to effectively block the intrusion of the latest viruses.
E. Setting up email server antivirus and spam filtering mechanisms to prevent viruses or spam emails from reaching users’ computers.
F. Establishing a complete backup mechanism for systems in the computer room, with important core systems also implementing off-site backup mechanisms to ensure the company’s sustainable operation.
G. Deploying next-generation cybersecurity systems for factory production line equipment to ensure the security of OT operations.
H. Implementing a VPN system with two-factor authentication mechanisms to ensure the accurate authentication of remote login personnel, with complete entry and exit records for all remote logins for future audits.
I. Conducting regular vulnerability scans and patching for servers in the computer room to prevent hackers from exploiting vulnerabilities and reduce information security risks.
J. Conducting annual disaster recovery drills for each application system to ensure uninterrupted business operation.
K. Regular implementation of information security education and training for company employees and social engineering drills to enhance employees’ awareness of information security.
4. Allocation of Information Security Resources
A. Dedicated personnel: One Information Security Supervisor and one Information Security staff member were assigned. A total of 80 hours of professional information security training in 2023, and obtaining ISO27001 LA lead auditor certification and Ministry of Economic Affairs Industrial Talent Information Security Engineer certification.
B. Information security collaborative organization: Joined the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) as a member, sharing information security intelligence with relevant colleagues daily to strengthen the company’s information security protection.
C. Information security certification: Obtained the ISO27001 international standard certification for information security in 2023 (certificate valid until October 31th, 2025), with no significant deficiencies found in related security audits.
D. Customer satisfaction: No major security incidents reported.
E. Disaster recovery drills: Conducted disaster recovery drills for core systems annually, with a total of 4 drills conducted in 2023, including ERP, MES, WMS, PORTAL, etc.
F. Education and training:
(1) Information security education and training:
Conducted physical/online information security education and training for all company employees annually, with a total of 17 physical courses held in 2023, attended by a total of 510 people.
(2)Social engineering drills:
Conducted quarterly social engineering drills for all company employees, with a total of four drills conducted in 2023, involving a total of 2,348 phishing emails.
(3)Information security announcements:
Issued information security announcements to company colleagues irregularly to reinforce information security policies and awareness, with a total of 10 information security announcements issued in 2023.