0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Previous Next
Risk Management Policies and Procedures Information and Cyber Security Risk Management Framework
Information and Cyber Security Risk Management Framework

The Company has established an information security office since September 1, 2022, with a dedicated supervisor (division director) and a dedicated information security specialist, and the president/CEO (the former Chief Operating Officer) serves as the convener of the information and cyber security management team. In addition to the information security office, the information and cyber security management team includes MIS center, internal audit office, HR office, legal office, and independent fair executives (management levels of various business divisions and functional units) with the relevant expertise and knowledge, responsible for coordinating, planning, executing and analyzing information and cyber security incidents, and evaluating information and cyber security policies at least once a year.



  1. The Information Security Office is responsible for establishing the Company's information security policies, strategies and projects, and proposing information security sustainability plans, loss prevention and fraud prevention, and privacy protection to protect employees, information assets and technology.
  2. The MIS Center and the Legal Office cooperate with the policies, strategies and projects proposed by the Information Security Office, and are responsible for handling information security related plans, measures and technical specifications, as well as research, construction and evaluation of security technologies.
  3. The HR office is in charge of the employment security assessment.
  4. The Internal Audit office shall work with the Information Security Office, MIS Center, and related units to take charge of the maintenance of information confidentiality and management matters for audit use.
  5. The Legal Office is responsible for the review of the project contract, and provides timely publicity, training and education on the laws and regulations of information ethics, including but not limited to privacy, accuracy, property, and accessibility.
  6. The Independent Fair Executives (management level of various divisions and functional units) shall be in charge of the research on the need for the data, information and cyber system security, and access management and protection thereof, as well as authorization recommendations, assessments and managements of personnel who can use confidential and sensitive data management.

Information and Cyber Security Policy

The so-called information and cyber security policy maintains the regular operation of the Company without violating local regulations, ethics and cultural norms, adopts necessary and cost-effective management, controls risks within an acceptable level, and uses safety protection means, measures or mechanisms, such as operation control and technology tools, to precisely protect the Company’s information assets from any unfair use, disclosure, tampering, theft or destruction, and take the necessary responsive actions promptly and recover normal operations immediately in the event of emergencies, such as malicious attacks, destruction or unfair use, and mitigate the damage caused by the incident that can potentially affect and compromise the Company’s operations. For details, please refer to the "Information and Cyber Security Policy and Management Regulations" published on the Company's official website.

Information and Cyber Security Management

The Company has formulated the following management aspects in the "Information and Cyber Security Policy and Management Measures" promulgated:

  1. Enactment of and evaluation on the information and cyber security policy
  2. Information and cyber organization and responsibilities
  3. Classification of and control over information assets
  4. Personnel safety management
  5. Tangible and environmental security management
  6. Communication and operating management
  7. Access control
  8. System development and maintenance
  9. Continuing operation management
  10. Information and cyber security policy compliance testing.

Education and Training for Information and Cyber Security Supervisor and Dedicated Personnel in 2023

OrganizerName of Course/ActivityDateHoursParticipantCertificate
Taiwan Corporate Governance Association Practical Aspects of Information Security Governance: Analysis of Key Management Issues
  1. International Trends in Information Security Governance
  2. Key Performance Indicators in Information Security
  3. Information Security Management Dashboard
  4. Industrial Control System Security Management
  5. Innovative Perspectives on Information Security
 2023/02/07 3
  1. SHIA,CHIEN-CHUNG (@Steve Shia) (Director of Information Security Office)
  2. LIN,YI-MIN (@Vincent Lin) (Deputy Manager of Information Security Office)
  1. Taiwan Corporate Governance Association Training Certificate- TCGA11200070
  2. Taiwan Corporate Governance Association Training Certificate- TCGA11200071
iSpan International Inc. SSCP (Systems Security Certified Practitioner) Training Course
  1. Fundamentals of Information Security
  2. Access Control and Authorization
  3. Identity Authentication
  4. Management Practices and Security Operations
  5. Risk Identification, Monitoring, and Analysis
  6. Information Security Incident Response and Recovery
  7. Business Continuity and Disaster Recovery Planning
  8. Cryptography
  9. Network and Communications Security
  10. Network Security Defense Techniques
  11. Cloud Computing and Virtualization Security
  12. Network Attacks and Malicious Code
 2023/08/19~20
2023/08/26~27		 30 SHIA,CHIEN-CHUNG (@Steve Shia) (Director of Information Security Office) iSpan International Inc. Achieving Certificate- 112-SE200685
Information Service Industry Association of R.O.C. Practical Course on Cyber Warfare Techniques: Principles and Practices of DDoS Attacks
  1. Definition of DoS & DDoS
  2. DoS/DDoS Attack Architecture and Methods
  3. Defense Mechanisms and Improvement Measures for DoS/DDoS
  4. Black Market Industry and Case Studies of DoS/DDoS
  5. Sharing of IoT Security Issues
 2023/11/23 3 SHIA,CHIEN-CHUNG (@Steve Shia)(Director of Information Security Office) Information Service Industry Association of R.O.C. Achieving Certificate-11226006

Procedures of Information and Cyber Security Incident Notification



In 2022 and 2023, the Company did not incur any losses or experience any impact on operations, reputation, etc., due to significant cybersecurity incidents. The report on cybersecurity risk management for 2023 was submitted to the Sustainable Development Committee and the Board of Directors on January 31, 2024, as detailed in the attached