ESG
Company Practice
Information Security Management Plan
Cyber Security Management
Strengthen the company’s information security management, establish the concept of “information development is based on security, continuous operation and protection of business secrets”, ensure the confidentiality, integrity and availability of customer and company data processing, and ensure that the company’s data processing security is guaranteed throughout the entire process, providing safe, stable and efficient information services that continue to operate.
The procedures apply to the safety management of all the employees of the company, the hired personnel, the special manufacturers, the third-party personnel and all related information assets.
The operation content include:
1.Information Assets Security Management. | 2.Network security Management. |
3. Information Hard Equipment Management. | 4. Software Management and Maintenance. |
5. Personnel safety management and education training. | 6. Security management of network and email users. |
7.Security management of information outsourcing service. | 8.Physical and environmental safety management. |
9. Business Continuity Operation Plan Management. | 10.Confidentiality and audit of information data. |
11.Destruction of information data. | 12.Information security incidents and confidential leaks handling. |
The Cyber security management framework:
- The responsible unit of uPI’s cyber security is Information Tech Dept. The department has a dedicated information security supervisor and a professional information officer who are responsible for establishing the internal information security management procedures, planning and implementing the information security protection, ensuring the policy has been implemented, and reporting the implementation status regarding the information security to the Board of Directors each year, the latest report date was December 28, 2023.
- The supervisory unit of uPI’s cyber security is the Audit office. The department has an audit supervisor and a full-time auditor who are responsible for periodically or irregularly auditing the information safety and risk control of each department and submitting audit findings to the relevant department heads and management to be aware of the audit report. If a deficiency is discovered, the audited unit must propose an improvement plan and specific measures. They will be regularly traced the effectiveness of the improvement to reduce internal cyber security risks.
- The organization’s operational model adopts periodic auditing and cyclical management to ensure the achievement of goals and continuous improvement.
Specific management measures for cyber security include:
- All information systems set passwords and set access rights, and install security detection and prevention procedures to detect and prevent the harm of computer malware or behavior and ensure the normal operation of the system.
- Employees are strictly prohibited from using illegal software or unauthorized information software, and the relevant software installation shall be assisted by the Information Tech Dep. after obtaining consent of the supervisor of the verification authority.
- Employees, manufacturing partners, and subcontractors should sign relevant confidential documents to ensure that those who use the Company’s information to provide information services or perform related information businesses have the responsibility and obligation to protect the information assets they obtain or use from the Company, so as to protect against unauthorized access, tampering, destruction, or improper disclosure.
- Important information systems or equipment should have appropriate redundancy (backup) or monitoring mechanisms in place and regular drills should be performed to maintain their availability.
- Employee accounts, passwords, and permissions should be kept and used responsibly, and they need to be replaced regularly by regulation.
- Establish a regular inventory of information assets, conduct risk management in accordance with information security risk evaluations, and implement various control measures.
- Formulate response methods for information security incidents to properly deal with information security incidents in real time and avoid further damage.
- Intermittently publicize information security issues and recent information security incidents to all employees of the Company through internal emails.
- New employees must complete an Introductory Course on Information Systems and Information Security and post-course testing to ensure they understand the Company’s information security policies.
- Every quarter, the Information Tech Dep. conducts computer checks on new and current colleagues who have completed three months of employment to ensure that there is no improper downloading or use of files or trade secrets owned by previous employers or competitors.
Implementation status in 2023and expected project:
System Implementation and System Security
Purpose |
|
Execution items |
|
Implementation Status |
|
Security management of email
Purpose |
|
execute project |
|
Implementation Status |
|
Disaster recovery and emergency procedures
Purpose |
|
execute project |
|
Implementation Status |
|
Information security protection and information exchanged
Purpose |
|
Project |
|
Implementation Status |
|
Expected project
- ISO 27001 Verification
- Continuously strengthen the security of company information systems
- Promulgate Information communication case and information security policy
- Security vulnerability penetration and scanning
- Exchange upgrade
- File server system DR backup