Management Staffing |
1.The company has set up an information security management team with two information security personnel responsible for the implementation of related operations, including: system planning and establishment, management of personnel computers and company network privileges, management of firewall/anti-virus software, data redundancy/backup planning and recovery exercises, etc.
2.In 2023, the security personnel received a total of 17.5 hours of training in IS27001 clause analysis and Zero Trust networking, compared to 12.5 hours of training in 2022. |
Information security and control measures |
1. Antivirus software has been installed and renewed for an additional three years in June 2022.
2. Upgrading the network firewall model to enhance protection against network attacks.
3. Configured email server with filtering mechanisms to prevent the spread of spam emails.
4. The system network operations are connected via MPLS VPN to prevent external malicious access. Multi-factor authentication for login protection has been added.
5.To log into company-configured personal computers, you are required to enter your username and password. Passwords must be changed every three months. When using company systems, you also need to provide your username and password, and your access is subject to the permissions associated with your account. Passwords for system access must also be changed every three months. Failure to change your password within the specified time frame will result in an account lockout. To reactivate the account, a request should be submitted. Passwords must be at least 8 characters in length and include a combination of numbers and letters.
6. In January and July 2023, we completed ERP system permission audits. System data backup and recovery drills were conducted in October 2023. |
Information Equipment Security |
1. Important system hosts have been placed in professional server rooms and access to them is restricted by access control.
2. A maintenance exercise has been carried out at each site this year to reduce the chance of equipment failure.
3. Important system data is scheduled to be backed up by the system at 01:00 a.m. daily and checked by information staff to ensure that the system has been backed up.
4.We plan to complete a full system backup (including programs and data) in the first half of 2024, adhering to the 3-2-1 backup cybersecurity requirements.
5. We plan to implement endpoint protection and execute cybersecurity operations for threat detection and response in the first half of 2024. |
Enhanced information security awareness |
1. New recruits are required to sign the "Computer Use Regulations Agreement" to ensure that they fully understand the company's regulations on computer use, network management, software installation, etc.
2. New recruits will fill in the "new recruits information permission request form" with the assistance of the HR department window. After confirmation by the personnel supervisor, human resources supervisor and information supervisor, the information personnel will set up the basic personal computer privileges on the day the new recruits report to work. The new recruits will then fill in the "Application Form for New Information Privileges" according to their job requirements, and will be able to obtain other system privileges only after the departmental supervisor and the information supervisor have reviewed and confirmed the application.
3.We have completed cybersecurity awareness programs on ransomware prevention, security vulnerability mitigation, safe email usage, and we conduct these awareness programs regularly every quarter.
4. In the third quarter of this year, we conducted a social engineering drill. Apart from new employees, all department staff have raised their cybersecurity awareness. When receiving suspicious emails, they not only refrain from clicking on them but also immediately report them to the IT security department. By doing so, they collectively contribute to enhancing information security."
5. We continue to provide cybersecurity vulnerability prevention online courses for new employees in 2023. After the courses, online assessments are conducted, and all 22 new hires have completed the training and passed the assessments. In 2022, 26 employees completed the same training. |