GOVERNANCE Corporate Governance

1. Information and Communication Security Policy

1-1. Information assets shall be properly protected against unauthorised access so that their confidentiality is not compromised.
1-2. Information assets shall be kept in the correct environment and with the correct transmission tools to safeguard their integrity.
1-3. The availability of information asset processing equipment shall be ensured in order to ensure the sustainability of the Company's critical business operations.

2. Specific management solutions
2-1. Access control should be implemented in important computer rooms and regular inspections should be conducted to ensure that the equipment is functioning properly and is not infringed upon.
2-2. When logging into the company's personal computers and systems, an account/password is required. Additionally, passwords must be changed every three months. Users are also required to operate application systems within the authorized scope of their accounts. For important account permissions, an annual audit is conducted to minimize the risk of data leaks. Accounts that have not undergone a password change will be locked, and users must reapply for permissions through the 'Information Permission Addition/Change Request Form'."
2-3. Network firewalls and anti-virus software should be installed, and virus codes should be updated regularly to ensure the security of information assets and transmission.
2-4. Important information should be categorized and backed up regularly, and backup and recovery tests of computer system data should be conducted regularly every year to ensure that the impact on the company's operation can be minimized after an information security incident occurs.
2-5. Information equipment should be inspected on an annual basis. If information equipment is to be replaced, the storage media should first be disposed of by formatting and erasing the data from the storage media to be destroyed and physically destroying it with a hammer or drilling device to ensure that the storage media and data cannot be reused.
2-6. The Company shall regularly review areas for further enhancement of information security management on an annual basis. In addition to improving equipment or management mechanisms, the Company should conduct further user education and training, if necessary, to reduce the likelihood of information security incidents.
2-7.We conduct quarterly social engineering drills to ensure that internal personnel are well-prepared to respond appropriately to external malicious phishing email attack incidents and have an established reporting mechanism. Necessary educational training is also provided to unfamiliar employees.
2-8.Join the cybersecurity alliance (TWCERT/CC) and regularly receive cybersecurity information.

3.Input resources for information and communication security management
3-1. Case Studies on Information Security and Information Security Awareness Promotion: 4 times in 2022 and 4 times in 2023.
3-2. Regular monthly cybersecurity meetings are held to develop action plans according to the cybersecurity prevention program. There were 12 meetings in 2022, and 10 meetings are scheduled for 2023.
3-3. Software Inventory: Establish a management system for software installations. Perform an inventory at least once a year to ensure the legal use of licensed software and to guard against malicious software.
3-4. Endpoint Protection: Check virus definition updates every 2 hours. Install endpoint monitoring agents to enhance system reliability.
3-5. Establish a firewall for protection against Distributed Denial of Service (DDOS) attacks and implement a control mechanism on the mail server to block large volumes of spam and viruses.
3-6. We have formulated a plan to introduce Managed Detection and Response (MDR) services, which is expected to be gradually implemented in 2024, with full deployment upon completion.
3-7. General Vulnerabilities and Exposures (CVE) patching for servers: Regularly check for security update information, and perform a weekly check of Microsoft operating system updates.
3-8. Disaster Recovery: Establish dedicated backup servers and related software, and formulate data backup policies for core systems. The system has a cold standby mechanism.
3-9. Disaster Recovery (DR) Drills: Conduct DR drills for core systems twice a year.

4.Organizational structure for information security
The Company has established a dedicated information security unit with two members to hold quarterly ad hoc meetings to decide on matters related to the information security system and to establish the security responsibilities of the information security management structure. The unit also reports to the Board of Directors on the implementation of information security management on an annual basis.

5. Operations
○Date reported to the Board of Directors in 2023: Novembert 2, 2023
Category Operational Situation
Management Staffing 1.The company has set up an information security management team with two information security personnel responsible for the implementation of related operations, including: system planning and establishment, management of personnel computers and company network privileges, management of firewall/anti-virus software, data redundancy/backup planning and recovery exercises, etc.
2.In 2023, the security personnel received a total of 17.5 hours of training in IS27001 clause analysis and Zero Trust networking, compared to 12.5 hours of training in 2022.
Information security and control measures 1. Antivirus software has been installed and renewed for an additional three years in June 2022.
2. Upgrading the network firewall model to enhance protection against network attacks.
3. Configured email server with filtering mechanisms to prevent the spread of spam emails.
4. The system network operations are connected via MPLS VPN to prevent external malicious access. Multi-factor authentication for login protection has been added.
5.To log into company-configured personal computers, you are required to enter your username and password. Passwords must be changed every three months. When using company systems, you also need to provide your username and password, and your access is subject to the permissions associated with your account. Passwords for system access must also be changed every three months. Failure to change your password within the specified time frame will result in an account lockout. To reactivate the account, a request should be submitted. Passwords must be at least 8 characters in length and include a combination of numbers and letters.
6. In January and July 2023, we completed ERP system permission audits. System data backup and recovery drills were conducted in October 2023.
Information Equipment Security 1. Important system hosts have been placed in professional server rooms and access to them is restricted by access control.
2. A maintenance exercise has been carried out at each site this year to reduce the chance of equipment failure.
3. Important system data is scheduled to be backed up by the system at 01:00 a.m. daily and checked by information staff to ensure that the system has been backed up.
4.We plan to complete a full system backup (including programs and data) in the first half of 2024, adhering to the 3-2-1 backup cybersecurity requirements.
5. We plan to implement endpoint protection and execute cybersecurity operations for threat detection and response in the first half of 2024.
Enhanced information security awareness 1. New recruits are required to sign the "Computer Use Regulations Agreement" to ensure that they fully understand the company's regulations on computer use, network management, software installation, etc.
2. New recruits will fill in the "new recruits information permission request form" with the assistance of the HR department window. After confirmation by the personnel supervisor, human resources supervisor and information supervisor, the information personnel will set up the basic personal computer privileges on the day the new recruits report to work. The new recruits will then fill in the "Application Form for New Information Privileges" according to their job requirements, and will be able to obtain other system privileges only after the departmental supervisor and the information supervisor have reviewed and confirmed the application.
3.We have completed cybersecurity awareness programs on ransomware prevention, security vulnerability mitigation, safe email usage, and we conduct these awareness programs regularly every quarter.
4. In the third quarter of this year, we conducted a social engineering drill. Apart from new employees, all department staff have raised their cybersecurity awareness. When receiving suspicious emails, they not only refrain from clicking on them but also immediately report them to the IT security department. By doing so, they collectively contribute to enhancing information security."
5. We continue to provide cybersecurity vulnerability prevention online courses for new employees in 2023. After the courses, online assessments are conducted, and all 22 new hires have completed the training and passed the assessments. In 2022, 26 employees completed the same training.
TOP
Customer Service Hotline:0800-652-008

Company Tel:+886-2-2721-6600

  • The content of this website is protected by the Copyright Act. Unless specified otherwise, the copyright belongs to the Tait Marketing & Distribution Co., Ltd., or its other content providers. No image or text or part of the image or text content may be reproduced, reprinted, distributed, quoted, modified, disseminated or used in other ways without the consent or authorization from the Company.
  • Copyright ©Tait Marketing and Distribution Co., Ltd. All Rights Reserved.

UNDERAGE PLEASE DON’T DRINK ALCOHOL