Cybersecurity Management
Cybersecurity Risk Management Framework
- In order to improve the cybersecurity management, the Company has appointed the Management Department head as the officer dedicated to cybersecurity and responsible for the governance, planning, supervision and implementation of cybersecurity across departments within the Group.
- The Company’s Internal Audit Office serves as the unit supervising the cybersecurity. The unit appoints dedicated internal auditors responsible for supervising the internal information security implementation status. Once any deficiency is found by the audit, the inspected unit will be asked to propose related improvement plans and specific actions immediately. The Office will also follow up the improvement results to mitigate the information security risk internally.
- The unit dedicated to cybersecurity communicates related regulations and suggestions via the management meeting regularly, in order to enable the cybersecurity inspection system to remain stable continuously and report the cybersecurity governance and results to the Board of Directors regularly each year.
Cybersecurity Policy
- Follow the related cybersecurity management regulations adopted pursuant to laws and regulations, provide adequate protection measures with respect to the Company’s cybersecurity assets to ensure the confidentiality, completeness, availability and legal compliance.
- Ensure the confidentiality, completeness and availability of the information assets kept in the Company’s custody to guarantee the safety of the Company’s operational data and files.
- Regularly assess the impact posed by various man-made and natural disasters on the Company's cybersecurity, and adopt the disaster prevention measures and disaster recovery plans against important cybersecurity assets and critical businesses to ensure the Company’s business continuity.
Specific Cybersecurity Management Program
- Computer system and network security management: The Company constructs firewall and establishes the foundation of an appropriate network security system to provide any necessary monitoring and filtering measures against traffic and provide effective protection against cyberattack. Each computer is installed with anti-virus software.
- Personnel management and training: The information security unit conducts the information security promotional activity via mail once a quarter and posts the same on the intranet accessible by colleagues at any time, in order to strengthen the employees' crisis awareness toward information security. (In 2014, a total of 3 promotional activities were carried out via mail.) The Company arranges the "information security training" course for new employees during their orientation training, and asks the information security unit to set up the account and password accessible only by new employees with their personal authority to manage the Company's accessible and available internal database.
- Information asset security management: The information security unit takes an inventory of the software throughout the Company and record it once per six months.
- Maintenance of normal operation: The information security unit checks the completeness of information security equipment and systems, such as NAS (backup system), firewall and computer rooms, on a daily basis.
Resources invested in cybersecurity management
- Appoint one staff dedicated to information security.
- Set up an on-premises NAS backup system.
- Set up the cloud backup mechanism.