GOVERNANCE Corporate Governance

1. Information and Communication Security Policy

1-1. Information assets shall be properly protected against unauthorised access so that their confidentiality is not compromised.
1-2. Information assets shall be kept in the correct environment and with the correct transmission tools to safeguard their integrity.
1-3. The availability of information asset processing equipment shall be ensured in order to ensure the sustainability of the Company's critical business operations.

2. Specific management solutions
2-1. Access control should be implemented in important computer rooms and regular inspections should be conducted to ensure that the equipment is functioning properly and is not infringed upon.
2-2. When logging into the company's personal computers and systems, an account/password is required. Additionally, passwords must be changed every three months. Users are also required to operate application systems within the authorized scope of their accounts. For important account permissions, an annual audit is conducted to minimize the risk of data leaks. Accounts that have not undergone a password change will be locked, and users must reapply for permissions through the 'Information Permission Addition/Change Request Form'."
2-3. Network firewalls and anti-virus software should be installed, and virus codes should be updated regularly to ensure the security of information assets and transmission.
2-4. Important information should be categorized and backed up regularly, and backup and recovery tests of computer system data should be conducted regularly every year to ensure that the impact on the company's operation can be minimized after an information security incident occurs.
2-5. Information equipment should be inspected on an annual basis. If information equipment is to be replaced, the storage media should first be disposed of by formatting and erasing the data from the storage media to be destroyed and physically destroying it with a hammer or drilling device to ensure that the storage media and data cannot be reused.
2-6. The Company shall regularly review areas for further enhancement of information security management on an annual basis. In addition to improving equipment or management mechanisms, the Company should conduct further user education and training, if necessary, to reduce the likelihood of information security incidents.
2-7.We conduct quarterly social engineering drills to ensure that internal personnel are well-prepared to respond appropriately to external malicious phishing email attack incidents and have an established reporting mechanism. Necessary educational training is also provided to unfamiliar employees.
2-8.Join the cybersecurity alliance (TWCERT/CC) and regularly receive cybersecurity information.

3.Input resources for information and communication security management
3-1. Case Studies on Information Security and Information Security Awareness Promotion: 4 times in 2022 and 4 times in 2023.
3-2. Regular monthly cybersecurity meetings are held to develop action plans according to the cybersecurity prevention program. There were 12 meetings in 2022, and 10 meetings are scheduled for 2023.
3-3. Software Inventory: Establish a management system for software installations. Perform an inventory at least once a year to ensure the legal use of licensed software and to guard against malicious software.
3-4. Endpoint Protection: Check virus definition updates every 2 hours. Install endpoint monitoring agents to enhance system reliability.
3-5. Establish a firewall for protection against Distributed Denial of Service (DDOS) attacks and implement a control mechanism on the mail server to block large volumes of spam and viruses.
3-6. We have formulated a plan to introduce Managed Detection and Response (MDR) services, which is expected to be gradually implemented in 2024, with full deployment upon completion.
3-7. General Vulnerabilities and Exposures (CVE) patching for servers: Regularly check for security update information, and perform a weekly check of Microsoft operating system updates.
3-8. Disaster Recovery: Establish dedicated backup servers and related software, and formulate data backup policies for core systems. The system has a cold standby mechanism.
3-9. Disaster Recovery (DR) Drills: Conduct DR drills for core systems twice a year.

4.Organizational structure for information security
The Company has established a dedicated information security unit with two members to hold quarterly ad hoc meetings to decide on matters related to the information security system and to establish the security responsibilities of the information security management structure. The unit also reports to the Board of Directors on the implementation of information security management on an annual basis.

5. Operations
1.Date reported to the Board of Directors in 2023: Novembert 2, 2023
Category Operational Situation
Management Staffing 1.The company has set up an information security management team with two information security personnel responsible for the implementation of related operations, including: system planning and establishment, management of personnel computers and company network privileges, management of firewall/anti-virus software, data redundancy/backup planning and recovery exercises, etc.
2.In 2023, the security personnel received a total of 17.5 hours of training in IS27001 clause analysis and Zero Trust networking, compared to 12.5 hours of training in 2022.
Information security and control measures 1. Antivirus software has been installed and renewed for an additional three years in June 2022.
2. Upgrading the network firewall model to enhance protection against network attacks.
3. Configured email server with filtering mechanisms to prevent the spread of spam emails.
4. The system network operations are connected via MPLS VPN to prevent external malicious access. Multi-factor authentication for login protection has been added.
5.To log into company-configured personal computers, you are required to enter your username and password. Passwords must be changed every three months. When using company systems, you also need to provide your username and password, and your access is subject to the permissions associated with your account. Passwords for system access must also be changed every three months. Failure to change your password within the specified time frame will result in an account lockout. To reactivate the account, a request should be submitted. Passwords must be at least 8 characters in length and include a combination of numbers and letters.
6. In January and July 2023, we completed ERP system permission audits. System data backup and recovery drills were conducted in October 2023.
Information Equipment Security 1. Important system hosts have been placed in professional server rooms and access to them is restricted by access control.
2. A maintenance exercise has been carried out at each site this year to reduce the chance of equipment failure.
3. Important system data is scheduled to be backed up by the system at 01:00 a.m. daily and checked by information staff to ensure that the system has been backed up.
4.We plan to complete a full system backup (including programs and data) in the first half of 2024, adhering to the 3-2-1 backup cybersecurity requirements.
5. We plan to implement endpoint protection and execute cybersecurity operations for threat detection and response in the first half of 2024.
Enhanced information security awareness 1. New recruits are required to sign the "Computer Use Regulations Agreement" to ensure that they fully understand the company's regulations on computer use, network management, software installation, etc.
2. New recruits will fill in the "new recruits information permission request form" with the assistance of the HR department window. After confirmation by the personnel supervisor, human resources supervisor and information supervisor, the information personnel will set up the basic personal computer privileges on the day the new recruits report to work. The new recruits will then fill in the "Application Form for New Information Privileges" according to their job requirements, and will be able to obtain other system privileges only after the departmental supervisor and the information supervisor have reviewed and confirmed the application.
3.We have completed cybersecurity awareness programs on ransomware prevention, security vulnerability mitigation, safe email usage, and we conduct these awareness programs regularly every quarter.
4. In the third quarter of this year, we conducted a social engineering drill. Apart from new employees, all department staff have raised their cybersecurity awareness. When receiving suspicious emails, they not only refrain from clicking on them but also immediately report them to the IT security department. By doing so, they collectively contribute to enhancing information security."
5. We continue to provide cybersecurity vulnerability prevention online courses for new employees in 2023. After the courses, online assessments are conducted, and all 22 new hires have completed the training and passed the assessments. In 2022, 26 employees completed the same training.

2.Date reported to the Board of Directors in 2024: July 30, 2024
Category Operational Situation
Management Staffing 1.Tait has set up an information security management team and appointed 2 information security personnel to be responsible for the execution of relevant operations, including system planning and establishment, personnel computer and company network permission management, firewall/anti-virus software management, data backup/backup planning and recovery drills Wait for execution.
2.Information security personnel in 2024 have received Personal Information (Security Maintenance) Law/Social Engineering Education and Training/Information Security Management and Control Guidelines, etc. in 2024, with a total of 29.5 person-times/hour courses. In 2023, 25 people/hour courses will be accepted.
Information security and control measures 1.Network firewall models will be updated in 2023. In 2024, the security patch will be updated three times and real-time notifications of disconnection events will be added to improve network resilience.
2.The email server is configured with a filtering mechanism to prevent the spread of spam. The plan is to move to the cloud in 2024.
3.System network operations are connected via MPLS VPN network to avoid malicious external access. At the same time, use HiNet enterprise security services to block external attacks.
4.The anti-virus software will be renewed for three years in June 2022. Use the second year of the contract in 2024. Check the host operation and information security patch every month and update it in real time.
5.To log in to a company-configured personal computer and use the company's internal system, you need to enter an account/password, and the password needs to be changed every three months. If the password is not changed after the expiration date, the account will be locked and the use rights will be suspended before applying. The password length setting requires at least 8 digits and should contain a combination of numbers and English letters.
6.In July 2024, an inventory of ERP system permissions will be completed to confirm that the list of users is correct.
7.In 2023, vulnerability scanning of 6 hosts and penetration testing of 3 hosts have been completed, operating system upgrades and AP OWASP vulnerability patching have been carried out. It will continue in 2024.
Information Equipment Security 1.Important system hosts are placed in professional computer rooms, and access control is provided for personnel access.
2.In 2024, information host maintenance at each point has been carried out to reduce the chance of equipment failure. and complete the hardware warranty contract.
3.A complete backup of the core system (including programs and data) will be completed in the first half of 2024, and meet the 3-2-1 backup information security requirements. Important system data is scheduled to be backed up twice a day, and the backup execution results are sent immediately via email.
4.In the first half of 2024, MDR software will be introduced to carry out security operations for proactive threat detection and response.
5.It is planned to introduce endpoint protection in the second half of 2024 and perform software and hardware control operations on terminal equipment (such as laptops, etc.).
Enhanced information security awareness 1.All new employees are required to sign a "Computer Usage Regulations Agreement" to ensure that employees understand the company's regulations on computer use, network management, software installation, etc.
2.New employees need to fill in the "New Personnel Information Permission Application Form" and set personal computer permissions after confirmation by supervisors at all levels and the information manager. And based on the job requirements, fill out the "Application Form for New Change of Information Permissions". After review and confirmation by the department supervisor, other system permissions will be provided.
3.In 2024, we will complete information security promotions on ransomware damage prevention, information security vulnerability prevention, email security, and major changes in personal information laws, etc., and conduct regular monthly promotions; set the personal computer to display relevant promotion messages after it is turned on.
4.Social engineering drills were conducted in the first quarter of this year. In addition to new colleagues, colleagues in all units have improved their security awareness. When receiving unknown emails, they can not only not click on them, but also directly report the information as soon as they receive abnormal emails. Security Department, jointly prevent information security.
5.Develop and release the "Information Security Incident Response and Internal Reporting Plan" in 2024. Standardize information security incident standards and reporting mechanisms, and compile detailed rules for the organization and division of work of response committees.
6.In 2024, we will continue to arrange online courses on information security vulnerability prevention for new recruits, and conduct online tests after the class. A total of 9 new recruits have completed the course and passed the test. 20 people will be completed in 2023.
TOP
Customer Service Hotline:0800-652-008

Company Tel:+886-2-2721-6600

  • The content of this website is protected by the Copyright Act. Unless specified otherwise, the copyright belongs to the Tait Marketing & Distribution Co., Ltd., or its other content providers. No image or text or part of the image or text content may be reproduced, reprinted, distributed, quoted, modified, disseminated or used in other ways without the consent or authorization from the Company.
  • Copyright ©Tait Marketing and Distribution Co., Ltd. All Rights Reserved.

UNDERAGE PLEASE DON’T DRINK ALCOHOL