1. Establishment of Information Security Risk Management Framework
To enhance information security management, the "Information Security Committee" has been established to oversee the company's security governance policies, supervise security management operations, and regularly convene meetings to review security governance issues and continuous improvements, in order to establish information security policy formulation and applicability. The convener of the "Information Security Committee" is responsible for information security governance, planning, supervision, and implementation, to build a comprehensive defense capability for information security and promote colleagues' awareness of information security. Business unit directors of the company are members of this committee by default. The company's information management organization is primarily led by the Information Department as the dedicated core unit, with an appointed security supervisor and sufficient security personnel. Relevant department personnel are also included in collaborative operations, collectively driving and addressing security-related matters.
2. Information Security Policy
The main focus of our company's security strategy is centered around three aspects: security governance, legal compliance, and technological utilization. From systems to technology, from personnel to organization, we comprehensively enhance our security protection capabilities. Our objectives are as follows:
- Conduct information security education and training to promote employees' awareness of information security and enhance their understanding of related responsibilities.
- Protect the information of our group's business activities to prevent unauthorized access and modifications, ensuring their accuracy and integrity.
- Regularly conduct internal and external audits to ensure the effective implementation of relevant operations.
- Ensure that the key core systems of our group maintain a certain level of system availability.
3. Concrete Information Security Management Plan
- Become a member of the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) to effectively receive and disseminate cybersecurity information.
- Continuously enhance backup and redundancy mechanisms for critical hosts and network devices, and implement firewall protection along with regular computer virus scans.
- The company periodically announces and promotes policies and regulations related to information security management.
- Regularly convene the Information Security Committee to continuously review and improve measures.
- Provide ongoing education and training for the company's information security personnel. In addition to routine announcements and promotions, implement an "Information Security Education and Training" course for all employees.
- In light of current emerging cybersecurity trends such as DDoS (Distributed Denial of Service) attacks, ransomware, social engineering attacks, and phishing websites, the group monitors cybersecurity issues regularly and plans responsive strategies. Different cybersecurity scenarios are practiced to enhance the responsiveness of personnel and to reduce the risk of cybersecurity threats.