Welcome in the demo
Another demo
  1. You are here:  
  2. ESG
  3. Information Security Risk Management

Information Security Risk Management 

 
In order to strengthen the risk management of information security, to establish information security promotion group, to establish information security risk management framework, formulated information security risk management framework, and regularly review the information security policy to ensure information security.
 
Information security risk management framework:
   
 
  • The information security promotion team is composed of Information Security Manager, Finance Senior Assistant Vice President, Human Resources Manager and Information Security Personnel, regularly reviews the information security management policies and related measures.
 
  • Members of all internal units follow the relevant measures to implement it.
 
  • Regular inspections of servers and other equipment are carried out during daily operations to detect problems immediately.
 
  • Regularly conduct information security risk assessments and cooperate with auditing units to ensure the correctness and effectiveness of operations.
 
  • Immediately improve in case of errors, loopholes and risks to build a continuous improvement management cycle of information security.
 
  • The information security promotion team reports cyber security implementation to the General Manager and Board of Directors at least once a year. The date of the most recent report to the Board of Directors was November 2, 2023.

 

Information security policy and goals:
 
  Purpose:
    In order to protect the information and communication assets related to all computer systems of the company, including the physical environment, software and hardware facilities, network, data, information, etc., from the risks of leakage, destruction or loss due to internal or external threats, This policy is specially formulated.  
     
  Information security goals:
    Ensure the correctness, usability, completeness and confidentiality of the company's information operations. Avoid the threat of internal and external information security incidents. In the event of an accident, it can respond quickly and resume normal operation in the shortest possible time to reduce the damage caused by the accident.  
 
  Information security management measures:
   
   
  • Establish an information communication security promotion group to formulate information security policies and objectives and specific management plans to ensure information security.
   
  • In accordance with Personal Data Protection Act Careful Handling of Personal Information.
   
  • Computers and servers needs to set passwords, install anti-virus software, and update virus codes regularly.
   
  • To comply with relevant regulations on intellectual property, and ensure that all installed software is legally authorized.
   
  • Important data needs to be backed up, and the validity of the backup data must be confirmed regularly.
   

  • To plan disaster recovery plans to quickly restore system operations in the event of an information security incident.
   
  • Regularly carry out information security propaganda work, strengthen employees' awareness of information security and legal concepts.
     
Specific management plan:
     
  Server equipment security management     Network Security Management     Virus Protection and Management  
                 
 
  • The company's servers are all set up in a dedicated server room, and adopt door access control.
  • The server room is equipped with an independent air conditioner to maintain the server running at an appropriate temperature environment; and place a gaseous fire extinguisher, which can be applied to fires caused by electricity.
  • The host machine in the server room is equipped with uninterruptible power supply equipment to avoid system crashes caused by unexpected momentary power outages by Taipower.
    
  • Set up a network firewall to prevent using the internal network from outsiders.
  • Colleagues remote login intranet to use the service, must be apply VPN account, and only can login by security method of VPN.
    
  • Server and the terminal computer equipment are equipped with endpoint protection software, and the virus code is automatically updated to ensure that the latest virus can be blocked, and at the same time, it can detect and prevent the installation of potentially threatening system execution files.
  • When anti-virus software was detected or blocked a virus, in addition to being immediately quarantined or deleted, and proactively send email of infected and at-risk computers, so that management personnel can take corresponding actions.
  
                 
  System Access Control     System Operation Sustainable      Education Training and Advocacy  
                 
 
  • Colleagues must apply for the use authority of each system in accordance with the procedures stipulated by the company, and the authority shall be set by the information unit after approval by the supervisor of responsibility.
  • Regularly perform permission checks of each system to ensure the correctness of permissions.
  • When colleagues go through the procedures for resignation (retirement), they must be contact the information unit to delete each system account.
    
  • System backup:Build a cloud backup system and adopt a daily backup mechanism.
  • Disaster recovery drills:Conduct drills every year to ensure the correctness and effectiveness of backup media.
    
  • Regular publicity:Regularly send information security publicity emails to strengthen colleagues' information security awareness and legal concepts.
  • Join the " Taiwan Computer Emergency Response Team / Coordination Center_TWCERT/CC" and "CISA_CISO sorority" member, obtain information security incident consulting channels and obtain information security information, and transfer relevant information to internal publicity.
  

 

Resources invested in information security management:
 
   
  • Firewall:Complete firewall protection subscription renewal.
   
  • Software system:Build an endpoint protection system and antivirus software.
   
  • 2023 Manpower input:Daily system checks、Perform core information asset inventory and risk assessment:1 time、Perform permission checks on each system:10 times、Perform company computer vulnerability assessment:2 times、Perform computer check tasks:1 time and Perform disaster recovery exercise:1 time.
   
  • Annual internal audits of the information cycle.
   
  • Information security promotion team meetings:4 meetings were held in 2023 to review the implementation of information security policies.
   
  • Information security insurance: In December 2023, purchase "information security protection insurance" with a total insured amount of NT5,000,000.
   
  • 2023 Information Security Propaganda Implementation Situation:
    Education Training:
         
  Course Title   Trained proportion  
  Be careful, hackers are around you   14.5%   
 
    Propaganda by E-mail:
  In 2023, a total of 27 information security promotion emails were sent. 
 

Language

Address:114 6F., No. 88, Zhouzi St., Neihu Dist., Taipei City 

Tel:(02)8752-5880

Fax:(02)8752-6990