- Home
- ESG
- Corporate Governance
- Information Security Risk Management
Information Security Risk Management
Information Security Risk Management Framework
- The Company’s information security authority is the Information Technology Department, which has a chief information officer and professional information personnel who are responsible for formulating internal information security policies, planning and implementing information security operations and promoting and implementing information security policies, and reporting regularly to the board of directors senior executives on the Company’s information security governance.
- The Company’s Auditing Office is the supervisory unit for information security monitoring. The Office has an auditing supervisor and full-time auditors who are responsible for supervising the implementation of internal information security, and if audits reveal deficiencies, they will immediately request the inspected unit to propose relevant improvement plans and specific actions, and regularly track the effectiveness of improvements to reduce internal information security risks.
- 3. Operational Mode of Organization—PDCA (Plan-Do-Check-Act) cycle management is adopted to ensure the achievement of reliability targets and continuous improvement.
Information Security Policies and Specific Management Plans
To ensure the effective operation and execution of the Company’s information management system, strengthen information security management, ensure the availability, integrity, and confidentiality of information, and protect it from internal and external threats, whether intentional or accidental, to ensure the safe maintenance of information systems and equipment networks, and to achieve the goal of sustainable management.
Management measures are described below:
A. Computer equipment security management
- The Company’s computer hosts, servers, and other equipment are located in a dedicated server room, and the door to the server room must be accessed by access control cards, and access records are kept.
- The server room is equipped with independent air conditioning to maintain the computer equipment in a proper temperature environment and fire extinguishers for general or electrical fires are provided.
- The host computer of the server room is equipped with uninterruptible power system and voltage stabilization equipment to prevent the system from crashing due to an accidental power failure or to ensure that the operation of the computer application system will not be interrupted during a temporary power failure.
B. Network security management
- To configure an enterprise-grade firewall to ward off illegal intrusion, sabotage and stealing information to avoid from illegal use.
- To monitor network traffic to prevent malicious internet behavior, reinforce internet security and bandwidth resources being occupied improperly.
- To establish information security incident monitoring, reporting and responding mechanism to prevent the incidents from happening and to response swiftly in an effort to reduce the damage.
C. Virus protection and management
- Endpoint protection software is installed on the server and employee terminal equipment. Virus codes are automatically updated to ensure that the latest viruses are blocked and to detect and prevent the installation of potentially threatening system executable files.
- Server and colleagues terminal computer equipment for vulnerability testing, to find out the weakness of the system items and timely repair.
- The email server is equipped with email anti-virus and spam filtering mechanisms to prevent viruses or spam from entering the user’s computer equipment.
D. System access control
- The use of each application system shall be authorized by the system administrator according to the requested functional authority after the internal system authority application procedure is approved by the responsible supervisor and the system account is established by the information office.
- When an employee applies for leave (disciplinary suspension) procedures, he/she must contact the information office to delete the system accounts.
E. Ensure the sustainable operation of the system.
- System backup: A backup management system is set up and a daily backup mechanism is adopted. There are two copies of backup media, one is kept in the server room and the other is stored in a different location.
- Disaster recovery drill: An annual drill is conducted for each system to ensure the correctness and validity of the backup media by selecting a restoration date and then storing the backup media on the system host to confirm the correctness of the restored data.
F. Information security promotion and education training
- All newly joined employees are required to attend the information security and protection classes.
- Employees are required to change system password quarterly to maintain account security.
- Lectures: Provide information security related education and training courses to internal employees from time to time.
- Joined TWCERT/CC to access the information security consulting, to gather and provide the information to the employees.
The information security management measures implemented by the Company are as follows:
Investments on the Cyber Security Management
The implementation of the 6 categories of the Cyber Security Management are as follows:
A. Networking hardware
- Next-Generation Firewall: possess the internet user behavior analysis.
- Layer 2 network switch.
B. Software system
- Server EDR detection and response.
- User endpoint detection and response.
- Backup management software.
- Email antivirus.
- Spam filtering.
- VPN certification.
- Vulnerability scanning software.
C. Service provided from Telecom Operator
- HiNet information Security Services from CHT.
- Intrusion Prevention System.
- DDOS Prevention System.
D. Manpower investment
- Each system been checked daily.
- Practicing backup and off-site media backup weekly.
- Conducting information security educational classes twice yearly.
- Disaster recovery drill yearly.
- Information recycle be audited internally and by CPA..
2024 Achievements in promoting the implementation of corporate information security measures
- Set up information security personnel: 2.
- Authorized expenditure and equipment investment totaling NT$ 350,000 .
- The Information Security and Personal Data Management Committee held a meeting.
- All new employees complete basic information security awareness education courses.
- Added and revised information management procedures and forms: 10 items.
- Revise the information communication incident reporting mechanism and response drills.
- Conduct internal information audit: 1 time.
- Conduct external information audit: 1 time.
- Promote important regulations and precautions on information protection and information security: 2 times.
- Conduct annual education and training: 1 time.
- If the losses, possible impacts and response measures suffered due to major information security incidents in recent years cannot be reasonably estimated, the fact that they cannot be reasonably estimated should be explained: The company did not have any major information security incidents in 2024, but still adhere to a preventive mentality and continue to prepare appropriate budgets to strengthen information technology security to reduce the company's risk of being attacked by malware.
Information Security Incident Notification Procedures
The information security incident notification procedure is as follows: (any report and action relating to information security follows the rules of this procedure).