ESG

Company Practice

Home 9 uPI SEMI 9 ESG 9 Company Practice 9 Information Security Management Plan

Information Security Management Plan

Cyber Security Management

Strengthen the company’s information security management, establish the concept of “information development is based on security, continuous operation and protection of business secrets”, ensure the confidentiality, integrity and availability of customer and company data processing, and ensure that the company’s data processing security is guaranteed throughout the entire process, providing safe, stable and efficient information services that continue to operate.

The procedures apply to the safety management of all the employees of the company, the hired personnel, the special manufacturers, the third-party personnel and all related information assets.

 

The operation content include:

1.Information Assets Security Management. 2.Network security Management.
3. Information Hard Equipment Management. 4. Software Management and Maintenance.
5. Personnel safety management and education training. 6. Security management of network, email and social media users.
7.Security management of information outsourcing service. 8.Physical and environmental safety management.
9. Business Continuity Operation Plan Management. 10.Confidentiality and audit of information data.
11.Destruction of information data. 12.Information security incidents and confidential leaks handling.

The Cyber security management framework:

  • The responsible unit of uPI’s cyber security is Information Tech Dept. The department has a dedicated information security supervisor and a professional information officer who are responsible for establishing the internal information security management procedures, planning and implementing the information security protection, ensuring the policy has been implemented, and reporting the implementation status regarding the information security to the Board of Directors each year, the latest report date was December 26, 2024.
  • The supervisory unit of uPI’s cyber security is the Audit office. The department has an audit supervisor and a full-time auditor who are responsible for periodically or irregularly auditing the information safety and risk control of each department and submitting audit findings to the relevant department heads and management to be aware of the audit report. If a deficiency is discovered, the audited unit must propose an improvement plan and specific measures. They will be regularly traced the effectiveness of the improvement to reduce internal cyber security risks.
  • The organization’s operational model adopts periodic auditing and cyclical management to ensure the achievement of goals and continuous improvement.

 

Specific management measures for cyber security include:

  • All information systems set passwords and set access rights, and install security detection and prevention procedures to detect and prevent the harm of computer malware or behavior and ensure the normal operation of the system.
  • Employees are strictly prohibited from using illegal software or unauthorized information software, and the relevant software installation shall be assisted by the Information Tech Dep. after obtaining consent of the supervisor of the verification authority.
  • Employees, manufacturing partners, and subcontractors should sign relevant confidential documents to ensure that those who use the Company’s information to provide information services or perform related information businesses have the responsibility and obligation to protect the information assets they obtain or use from the Company, so as to protect against unauthorized access, tampering, destruction, or improper disclosure.
  • Important information systems or equipment should have appropriate redundancy (backup) or monitoring mechanisms in place and regular drills should be performed to maintain their availability.
  • Employee accounts, passwords, and permissions should be kept and used responsibly, and they need to be replaced regularly by regulation.
  • Establish a regular inventory of information assets, conduct risk management in accordance with information security risk evaluations, and implement various control measures.
  • Formulate response methods for information security incidents to properly deal with information security incidents in real time and avoid further damage.
  • Intermittently publicize information security issues and recent information security incidents to all employees of the Company through internal emails.
  • New employees must complete an Introductory Course on Information Systems and Information Security and post-course testing to ensure they understand the Company’s information security policies.
  • Every quarter, the Information Tech Dep. conducts computer checks on new and current colleagues who have completed three months of employment to ensure that there is no improper downloading or use of files or trade secrets owned by previous employers or competitors.

Implementation status in 2023and expected project:

System Implementation and System Security

Purpose
  • Company and its Subsidiaries Continuity Operation Policy and Risk Management.
  • Prevention of hackers and damages from virus intrusions.
  • Protection company’s network for smoothly operations.
Execution items
  • ISO 27001 System Verification.
  • Effectiveness of the network security risk assessment platform, SecurityScorecardDC.
  • Firewall replacement for the Japanese subsidiary.
  • Audit operations of DC account auditing system.
  • EDR (Endpoint Detection and Response) proactive endpoint intrusion detection.
  • Antivirus software endpoint protection.
Implementation Status
  • In January 2024, we successfully passed the ISO 27001 external verification by SGS and received the certification, marking the Company's commitment and efforts in information security management.
  • The Company achieved a score of 95 on SecurityScorecard, indicating a strong network security posture, reflecting our efforts in cybersecurity protection and risk management.
  • The Japan branch replaced the Layer 7 firewall to enhance application layer detection, threat protection, and traffic management. This upgrade simplifies operations and maintenance, strengthens system security, reduces risks, and improves system stability and operational efficiency.
  • 13 external privileged account probing attempts were detected, with zero cybersecurity incidents occurring due to privileged account probing.
  • Antivirus software detected 547 instances of computer viruses, and the EDR zero-trust protection system identified 128 medium-risk or higher incidents. However, there were zero cybersecurity incidents caused by system infections on client devices.
  • There were zero interruptions due to hackers and virus intrusions to the company’s information equipment and system.

Security management of email

Purpose
  • Protect the company’s and its Subsidiaries’ trade secrets from being leaked via email.
  • Prevent external threat emails from causing damage to the company's operations.
execute project
  • Exchange Upgrade
  • Use the MAILDLP system to continuously audit and review outbound company emails.
  • Implement an email threat protection system to guard against traditional threats and virus-infected emails.
  • Utilize advanced email protection mechanisms (ADM Email Protection System) to protect against non-traditional threats such as malicious attachments and business email compromise (BEC) threats.
Implementation Status
  • Upgrading to Exchange 2019 has enhanced security, performance, and availability, providing a modernized user experience, strengthened mobile support, improved compliance features, simplified management processes, and overall increased efficiency and stability of the email system.
  • No significant incidents of company confidential information being leaked through outbound emails have been identified.
  • The email threat protection system identified 2,677 threat emails and 260 virus-infected emails, with zero cybersecurity incidents caused by threat emails.
  • The ADM email protection system identified 6 business email compromise (BEC) emails, with zero cybersecurity incidents caused by business email scams.

Disaster recovery and emergency procedures

Purpose
  • Optimize and improve the existing backup mechanism of R&D data.
  • Conduct risk controls for critical systems for the purpose of strengthening company’s continuity operation strategy.
execute project
  • File server system backup.
  • Conduct AD virtual server disaster recovery drills.
  • Perform recovery drills for the company's critical EFGP system.
Implementation Status
  • File Server Backup: This year, we will use Robocopy to synchronize data from the new file server to the old server, enhancing the system's backup capabilities, ensuring data security, and reducing disaster recovery time.
  • The IT department successfully completed the AD server recovery drill within 6 hours, effectively ensuring business continuity and strengthening disaster response capabilities.
  • The IT department successfully completed the EFGP system recovery drill within 8 hours, improving system stability and reducing the potential risk of business disruption.

Information security protection and information exchanged

Purpose
  • Enhance overall cybersecurity awareness among employees, including those of subsidiaries.
  • Prevent cybersecurity incidents through external threat intelligence sharing.
Project
  • Conduct regular cybersecurity awareness campaigns and audits.
  • Regularly receive and confirm: ASUS Group cybersecurity collaboration and Taiwan cybersecurity incident reports.
Implementation Status
  • A total of four cybersecurity awareness sessions were held, covering topics such as cybersecurity policies, regulations, awareness, and phishing prevention.
  • 13 new employees cybersecurity training sessions were conducted, along with quarterly computer audits.
  • Three ASUS Group cybersecurity seminars were attended.
  • Regularly received critical cybersecurity intelligence from TWCERT/CC.

Expected project

  • ISO 27001 Reassessment.
  • Continuously strengthen the security of the company’s information systems.
  • Promote information security case studies and communicate cybersecurity policies.
  • Cybersecurity vulnerability penetration testing and scanning.
  • New purchase of firewall for the headquarters (replacement of old equipment) .
  • Replacement of backbone network switches at the headquarters.
  • Upgrade of hardware for the headquarters’ spam filtering system.