Information security management
( I ) Describe the information security risk management framework, the information security policy, the specific management plan, and resources input in information security management.
(1) Information Security Risk Management Framework: The Company’s Information Security Risk Management Team is composed of the Assistant to the General Manager’s Office, the Information Department and internal audit personnel, and reports regularly to the Board of Directors.
(2) Information security policy: To ensure sustainable operation and maintain information security, the Company has established an information security organization and provided related management measures and rules, supervise and monitor the implementation of related operations and equipment, detect exceptions in advance, avoid and control any damage.
(3) Specific management plan and resources input in information security management: Join information security information sharing platforms including ISAC and TWCERT, in addition to regular information security inspections, cooperate with internal and external auditors to include information security inspections in the annual audit plan.
Internet Control
-
Install a firewall
-
Install SPAM, a mail filtering protection platform, to effectively reduce the risk of various mail attacks.
-
Install anti-virus software in computer equipment, and regularly scan computer systems and data storage media for viruses.
-
Use various network services pursuant to the
information security policy.
Data Access Control
- Designate specified persons to keep computer equipment, and set user names and passwords.
- Grant different access authorities based on functions.
- Revoke the authorities of any person rotated to another position.
- Duly approve remote access to an information system.
Backup Recovery Mechanism
-
Establish system backup mechanisms for all important systems, and implement remote backup.
-
Conduct system recovery drills regularly every year.
-
Regularly review computer network security control measures.
-
Make the Information System Emergency Recovery Plan.
The Company does not yet need to obtain any international certification for any information security policy and any specific management plan. Currently, based on the appetite for information security risks identified by the Company's risk management team, insurance is not needed yet for information security risks. However, insisting the information security management, the Company has continuously been enhancing the information security protection, and holds disaster recovery drills regularly every year. Moreover, the team members continue to improve the latest knowledge related to the information security management all the time to enhance professional functions and master the issues related to the information security.
The company has spent a total of NTD 1,844 thousand on information security in 2024, and has effectively established and prevented various information security risks.
The company has established an information security chief and related teams at the board of directors on November 7, 2024 (the 14th meeting of the 33rd session), and conducted an information security project report at the board meeting.