Information Communication Security Management

Information Communication Security Risk Management Framework

 
In order to implement the Information Communication security strategy set by the Enterprise Information Communication Security Organization, and ensure the relevant standards, procedures and regulations of information security are followed. The President serves as the top manager of the organization, the Executive Vice President serves as the management representative, and the Information Management Department is responsible for coordinating and implementing the Information Communication security policy, publicizing the Information Communication security information, enhancing employees' information security awareness, and collecting and improving the technology, products or procedures for the performance and effectiveness of the organization's information security management system. The Audit Office conducts an annual security audit of the internal control system, evaluates the effectiveness of the internal control of the Company's information and communications operations, and reports to the board of directors on a regular basis every year.
 
 


 
Information Communication Security Policy

 
  • Enterprise Information Security Management Strategy
 
  1. Maintain the sustainable operation of each information communication system.
  2. Maintain physical environment security.
  3. Prevent hackers and various viruses from invasion and destruction.
  4. Prevent leakage of sensitive information.
  5. Prevent improper intentions and illegal use.

 
  • Enterprise Information Communication Security Risk Management and Continuous Improvement Framework
 
PDCA (Plan-Do-Check-Act) cycle management is adopted to ensure goal achievement and continuous improvement.

 


 
  • Specific Management Plans
 
ITEM SPECIFIC MANAGEMENT MEASURES
Physical Security
  • Implementation of computer room access control.
  • Dual-circuit UPS power supply setup for protection to prevent damage caused by power failure or other abnormal power.
Device Safety
  • Establishment of endpoint anti-virus measures by computer type.
  • Enhanced malware behavior detection.
  • URL filtering protection.
Internet Security
  • Strengthening the network firewall and network control to prevent the virus from spreading across the experiment area and office area.
  • Introduction of ATP advanced threat protection system.
  • Automated user threat reporting.
Cloud Protection
  • URL filtering to prevent attachments from unknown malware and viruses.
  • Mail fraud and phishing mail protection.
Data Security
  • Import of the off-site backup system, transcription of complete data to off-site and automatic generation of reports every day.
  • Introduction of data leakage protection system to prevent data leakage, and automatic warning function.
Education and Advocacy
  • Enhancement of employee vigilance against email and social engineering attacks, and implementing phishing mail defense detection.
  • Regular promotion information security information to enhance information security awareness.
 
 
  • Resources Put in Information Communication Safety Management

Implementation results of the promotion of enterprise information security measures.
 
POLICIES
  • Revising the Information communication security code.
  • Amendments to video conferencing and remote work rules.
TRAINING AND ADVOCACY
  • Quarterly case-sharing sessions and monthly general information security training for new hires were carried out, with four case advocacy sessions and twelve general training sessions conducted in the fiscal year 2023.
  • Performing social engineering drills to increase alertness of phishing mail;In the fiscal year 2023, two social engineering drills were conducted, involving education, training, and quizzes for employees on phishing awareness.
SYSTEMS
  • Strengthening off-site backup systems, and upgrading from tape backup systems to disk copy storage systems.
  • Introducing the ATP advanced threat protection system.
  • Enhancing the spam filtering system, URL link filtering, attachment scanning, email fraud and phishing protection.


 
Information Security Risks and Countermeasures


In order to strengthen information security protection and identify information security risks, countermeasures are proposed and the results are regularly reviewed.
 
SECURITY RISK IDENTIFICATION IMPACT ASSESSMENT COUNTERMEASURES PERFORMANCE MANAGEMENT
Personal Computer Account Password Security Financial business secrets are stolen by people with intentions. The personal computer power-on password is changed regularly. The password needs to be changed regularly and in accordance with the principle of complexity.
Computer Virus Protection Computer viruses, ransomware, Trojans and mining programs. Strengthen endpoint protection, and import behavior monitoring and application control protection system. Strengthen system and data security by endpoint type.
Network Management Security Network stability, deliberate attacks and traffic isolation. Regularly update the firmware and import the Intrusion Prevention System (IPS). When abnormal network packets or behaviors are found, the system will send an alert notification and take necessary measures immediately.
Information Security Unauthorized access to information systems. Establish an application authorization process according to job requirements. The electronic form is used for application, and the access will be allowed after the approval of the supervisor and the responsible unit.
Online Safety Malware, phishing, command and control of servers by zombie computers and other improper transmissions. Import an advanced threat protection system, and conduct regular email social engineering drills every year. Actively block zero-time-difference vulnerability attacks and warn of inappropriate transmissions.
Information System Service Operation Hackers may try to infiltrate the Company's network systems with computer viruses, destructive software or ransomware in order to interfere with the Company's operations. Set the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the core business. Set up an appropriate backup mechanism and backup plan, and regularly test the correctness of the restored data.

 

Major Information Security Incidents


So far, there has been no major information security incident causing business damage.   
  
  
 
Date of Submission to the Board of Directors


2023.11.10.

Subscribe

Please continue to support our efforts towards sustainable operation.

Email

Verification

Click the numbers in sequence.

Please Enable cookies to improve your user experience

In accordance with personal data protection laws enforced by the European Union, we are committed to protecting your personal data and providing you with control over your personal data.
We have updated and will periodically update our Privacy Policy, to comply with the personal data protection. Please refer to our latest version of Privacy Policy
This website uses cookies to provide a better browsing experience. To find out more about the cookies we use, pleas check here