Cyber Security Management

According to the assessment of the Company's authority, although the information security risk is not a major operational risk, the risk may increase year by year as the network environment becomes more complex. The Company has established an information security management structure, with the president responsible for formulating information security management policies and the "Information Security Working Group" and "Information Security Response Team" under him/her to formulate and implement specific information security management plans. In addition, an information security audit unit conducts internal audits of management systems, information security prevention and crisis management, and continues to refine internal abnormality detection and protection methods to reduce corporate information security risks.

The implementation measures
The Company considers that information security insurance is still a new type of insurance in Taiwan, and there is no information security insurance suitable for the Company. Therefore, at this stage, the Company's existing information security management procedures are used to implement information security risk management. The relevant specific implementation measures are as follows:
 

• Network Security Management

1. Install enterprise-level firewalls to prevent illegal intrusions by hackers.
2. Use SSL VPN to connect with each branch of the Company, and use data encryption to avoid illegal access of the data in the transmission process.
3. Install an online conduct management system to control network access, which can block access to harmful or policy-disallowed URLs and content, strengthen network security, and prevent bandwidth from being improperly occupied.

 

• System access control

1. An application must be filed in advance for the use of each applied system of the Company. After being approval by the supervisor in charge, the account will be established by the information office, which can only be used with the system functions granted by the system administrator.
2. The password setting of the account must meet the required protection strength, and it needs to be mixed with alphanumeric characters for approval.
3. The resigning employees must inform the information office for having the system account deleted.

 

• Implement information security training

1. Regularly implement information security education and training, and from time to time conduct information security promotion for employees to raise their awareness of the importance of information security.
2. Arrange social training courses for all employees, and arrange special training courses for those who violate information security regulations.

 

• Virus protection and management

1. Terminal protection software is installed on the server and computers for employees, and the virus code is automatically updated to have the latest viruses detected and blocked.
2. The email server is equipped with a spam filtering mechanism to prevent viruses or spam from entering the user’s PC.

 

• Ensure system availability

1. Setup a backup management system to have two backup copies of data prepared on a daily basis with one copy kept in the computer room and the other one placed in a different place (Taipei or factory) for backup.
2. Perform disaster recovery drills on a regular basis. After deciding the restoring point, the backup file is restored to the system host.

 

• Computer equipment security management

1. Company’s computer host, application servers, etc. are all set up in the dedicated computer room. The computer room access is controlled with an electronic card with records kept for future reference.
2. There is an independent air conditioner and uninterruptible power system in the information room to have the computer equipment operated at a suitable temperature, and the operation of the computer application system will not be interrupted when the power is turned off.
3. Construct an equipment management system, so, only the mobile devices and USB devices that are certified by the Company can be used to connect to the Company’s intranet and access data.