Information Security and Privacy Management

  • Home
  • Sustainability
  • Sustainable Governance
  • Information Security and Privacy Management

Sustainable Governance

ESG Task Force Risk Management Integrity Management Intellectual Property Management Information Security and Privacy Management Customer Service and Satisfaction Supplier Management Stakeholder Communication

Cybersecurity Risk Management Framework

 

The unit responsible for the company's information security is the Information Technology Department, which has dedicated personnel serving as the cybersecurity officer and staff. They are in charge of promoting, coordinating, overseeing, and reviewing information security management matters. They also implement information security policies, promote information security messages, enhance staff awareness, and collect and improve the organization's information security management system, technologies, products, or procedures. The audit unit conducts an annual information security audit to assess the effectiveness of internal controls related to information operations.

 

 


 

Cybersecurity Policy

 

To strengthen and implement information security management, the company has established an internal control system for cybersecurity. The objectives are as follows:

  • Ensure the availability, integrity, and confidentiality of information
  • Protect customer data and company information assets from internal and external malicious or accidental threats
  • Ensure the continuous operation of information systems
  • Implement audit operations to ensure the continuous effectiveness of security regulations


 

Cybersecurity Management Plan

 

The company follows a PDCA (Plan-Do-Check-Action) cyclical management approach for information security operations, ensuring the achievement of goals and continuous improvement. Specific objectives and measures are outlined as follows:

  • Computer Equipment Security Management:
    1. The company's servers and core network devices are housed in a dedicated server room, with card access controls and 24-hour surveillance.
    2. The server room is equipped with independent air conditioning, automatic smoke detection, temperature alarm systems, jet fire extinguishing systems, UPS (Uninterruptible Power Supply), and voltage stabilizing equipment to prevent system damage from accidental power outages.
    3. Servers and end-user computers have unified antivirus software with an automatic virus signature update mechanism, ensuring all devices maintain the same level of protection.
    4. Servers and devices are also protected by unified endpoint protection software, which detects and prevents potential threats and malicious software behaviors.
    5. Log management and monitoring are centralized, with important server logs being collected, and alarm rules are defined for critical system events to enhance early detection of suspicious activities.
  • Network Security Management:
    1. Different network segments are created for various organizational units to prevent the rapid spread of malware or virus infections within one unit.
    2. Corporate firewalls are configured at internet gateways to block external attacks, control connections, and filter malicious and phishing websites.
    3. Secure communication via VPN is used between offices in different locations to ensure encrypted data transmission.
    4. SSLVPN accounts are required for remote access to internal systems, ensuring secure login and maintaining access logs for future audits or investigations.
    5. Email antivirus and spam filtering mechanisms are implemented to block malicious emails.
  • Access Control:
    1. When employees join, the HR department applies for general system accounts. Upon leaving, employees must visit the IT department for account deletion and sign-off procedures.
    2. Access to backend management systems related to business requires prior approval from supervisors and configuration by the IT department.
    3. Operating system password complexity, screen locking, and error lockout policies are enforced according to government guidelines.
    4. File servers are configured with folder permissions based on departmental needs to protect information security. Group policy management tools are used for centralized file server audit settings.
  • Cloud Security:
    1. IAM (Identity and Access Management) services are used for managing identities and access in cloud environments, with multi-factor authentication (MFA) enabled for additional security.
    2. Cloud services default to encryption mechanisms, and cloud encryption key management services are used to ensure data security.
    3. Cloud system audit logs are collected for future analysis.
    4. Cloud firewalls and DDoS protection services are deployed to prevent external attacks and service disruptions.
  • Business Continuity:
    1. Data backup is performed daily, with backup data stored in local network drives and remote backup strategies implemented to ensure data safety.
    2. Disaster recovery drills are conducted annually to confirm the recovery process’s effectiveness and integrity.
  • User Personal Data
    1. Compliance with Taiwan's Personal Data Protection Act (PDPA) is ensured, with privacy policies and consent forms for data collection and usage.
    2. Personal data is encrypted in databases and protected with masking and encryption during access.
    3. Data access and transmission use SSL encryption to prevent interception, with access logs maintained for audits.
    4. Regular training on personal data handling is provided to employees.
  • Intellectual Property
    1. Intellectual property like source code and media are stored in a version control system with historical version retention.
    2. Regular and offsite backups of version control systems follow business continuity measures.
    3. Cloud DevOps development processes and version control services are used, with backup resources from cloud providers.
    4. New employees sign confidentiality agreements, with responsibilities for protecting Company intellectual property.


 

Cybersecurity Execution

 

  • Cybersecurity Awareness and Training:
    1. Information security personnel undergo regular professional training courses.
    2. Information security awareness training is conducted for internal staff on a periodic basis, and new employees must complete security onboarding training.
    3. A monthly cybersecurity newsletter is distributed to remind staff about suspicious activities.
    4. Periodic social engineering drills are held to strengthen information security training for vulnerable staff.
    5. Subscriptions to TWCERT/CC provide information on security incidents and intelligence for internal dissemination.
  • Professional Technical Resources:
    1. A professional security team conducts regular security assessments and implements protective mechanisms and global abnormal equipment monitoring.
  • Adequate Cybersecurity Budget:
    1. Security-related costs include maintenance and operations, with necessary protection, monitoring, and assessment expenses for information system development and operations.


 


 

Privacy Protection Report

 

To protect intellectual property, information assets, user data, and online operations, we have formulated an information security management system and policies based on the guidelines of the National Information Security Technology Services Center. We have established various cybersecurity management regulations to meet the company’s needs and implemented necessary protective mechanisms to reduce the risk of internal or external threats, minimizing potential company losses.


 

Download 2023 Information Security and Privacy Protection Report

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.View Cookie Policy