ESG

Company Practice

Home 9 uPI SEMI 9 ESG 9 Company Practice 9 Information Security Management Plan

Information Security Management Plan

Cyber Security Management

Strengthen the company’s information security management, establish the concept of “information development is based on security, continuous operation and protection of business secrets”, ensure the confidentiality, integrity and availability of customer and company data processing, and ensure that the company’s data processing security is guaranteed throughout the entire process, providing safe, stable and efficient information services that continue to operate.

The procedures apply to the safety management of all the employees of the company, the hired personnel, the special manufacturers, the third-party personnel and all related information assets.

 

The operation content include:

1.Information Assets Security Management. 2.Network security Management.
3. Information Hard Equipment Management. 4. Software Management and Maintenance.
5. Personnel safety management and education training. 6. Security management of network and email users.
7.Security management of information outsourcing service. 8.Physical and environmental safety management.
9. Business Continuity Operation Plan Management. 10.Confidentiality and audit of information data.
11.Destruction of information data. 12.Information security incidents and confidential leaks handling.

The Cyber security management framework:

  • The responsible unit of uPI’s cyber security is Information Tech Dept. The department has a dedicated information security supervisor and a professional information officer who are responsible for establishing the internal information security management procedures, planning and implementing the information security protection, ensuring the policy has been implemented, and reporting the implementation status regarding the information security to the Board of Directors each year, the latest report date was December 28, 2023.
  • The supervisory unit of uPI’s cyber security is the Audit office. The department has an audit supervisor and a full-time auditor who are responsible for periodically or irregularly auditing the information safety and risk control of each department and submitting audit findings to the relevant department heads and management to be aware of the audit report. If a deficiency is discovered, the audited unit must propose an improvement plan and specific measures. They will be regularly traced the effectiveness of the improvement to reduce internal cyber security risks.
  • The organization’s operational model adopts periodic auditing and cyclical management to ensure the achievement of goals and continuous improvement.

 

Specific management measures for cyber security include:

  • All information systems set passwords and set access rights, and install security detection and prevention procedures to detect and prevent the harm of computer malware or behavior and ensure the normal operation of the system.
  • Employees are strictly prohibited from using illegal software or unauthorized information software, and the relevant software installation shall be assisted by the Information Tech Dep. after obtaining consent of the supervisor of the verification authority.
  • Employees, manufacturing partners, and subcontractors should sign relevant confidential documents to ensure that those who use the Company’s information to provide information services or perform related information businesses have the responsibility and obligation to protect the information assets they obtain or use from the Company, so as to protect against unauthorized access, tampering, destruction, or improper disclosure.
  • Important information systems or equipment should have appropriate redundancy (backup) or monitoring mechanisms in place and regular drills should be performed to maintain their availability.
  • Employee accounts, passwords, and permissions should be kept and used responsibly, and they need to be replaced regularly by regulation.
  • Establish a regular inventory of information assets, conduct risk management in accordance with information security risk evaluations, and implement various control measures.
  • Formulate response methods for information security incidents to properly deal with information security incidents in real time and avoid further damage.
  • Intermittently publicize information security issues and recent information security incidents to all employees of the Company through internal emails.
  • New employees must complete an Introductory Course on Information Systems and Information Security and post-course testing to ensure they understand the Company’s information security policies.
  • Every quarter, the Information Tech Dep. conducts computer checks on new and current colleagues who have completed three months of employment to ensure that there is no improper downloading or use of files or trade secrets owned by previous employers or competitors.

Implementation status in 2023and expected project:

System Implementation and System Security

Purpose
  • Company Continuity Operation Policy and Risk Management.
  • Prevention of hackers and damages from virus intrusions.
  • Protection company’s network for smoothly operations.
Execution items
  • Implementation of ISO 27001 System.
  • Audit Operation for DC Account Auditing System.
  • Intrusion Detection for Proactive Endpoint in EDR.
  • Antivirus Software Endpoint Protection.
Implementation Status
  • The document publication and internal audits for the implementation of the ISO 27001 Information Security Management System have been completed by the end of November 2023, the external audit is scheduled to be conducted in January 2024.
  • The external privilege account probing system detected 40 attempts,
  • resulting in zero cybersecurity incidents due to probing privileged accounts.
  • The antivirus system identified computer viruses 293 times, and there were no security incidents caused by system infections on end-user devices.
  • There were zero interruptions due to hackers and virus intrusions to the Company’s information equipment and system.

Security management of email

Purpose
  • Protect company trade secrets from leakage by Email.
  • Prevent external threat emails from causing damage to the company's operations.
execute project
  • The company continuously conducts audits and reviews of outgoing emails using the MAILDLP system.
  • A mail threat protection system is employed to defend against conventional threats and virus-laden emails.
  • An advanced email protection mechanism, the ADM Email Protection System, is utilized to guard against non-traditional threats such as malicious attachments and business email compromise threats.
Implementation Status
  • No major incidents of leakage of company secrets through sending e-mails have been discovered.
  • The email threat protection system has identified 5,770 threatening emails and 530 virus-laden emails. However, there is zero instance of cybersecurity impact on company due to these threatening emails.
  • The ADM email protection system identified 127 commercial fraud emails, and the Company found 0 cases of information security effects due to commercial fraud.

Disaster recovery and emergency procedures

Purpose
  • Optimize and improve the existing backup mechanism of R&D data.
  • Conduct risk controls for critical systems for the purpose of strengthening company’s continuity operation strategy.
execute project
  • Import the professional backup software for the OA system to enhance and shorten the time for critical data recovery.
  • Conduct recovery drills for the company's essential ERP system.
Implementation Status
  • After the successful implementation of Commvault professional backup software for the OA system, the complete data backup time has been reduced from 3 days to 19 hours (using the company's important file server data as an example). Additionally, the company's off-site backup mechanism has transitioned from tape backups to off-site backup via VPN to the Taipei office. The data loss time for all critical server data, such as AD, file servers, and ERP systems, has been reduced from one month to 1 day.
  • The company's vital ERP system has successfully conducted a recovery drill within the specified 6 hours of ISO 27001 standards, and a report has been generated documenting the successful exercise.

Information security protection and information exchanged

Purpose
  • Strengthen employees’ overall information security awareness.
  • Prevent the occurrence of information security incidents through external organization information and information exchange.
Project
  • Conduct regular information security dissemination and audits.
  • Join ASUS Group's Information Security Joint Defense and TW Information Security Incident Reporting Organization.
Implementation Status
  • Disseminate information security policies and regulations, information security awareness, and anti-phishing web pages 7 times.
  • Hold the information security education training courses for new employees 15 times, and conduct the computer audit each quarter.
  • Participate in ASUS Group’s Information Security Lectures for 4 times.
  • Regularly received material information on security information from the TWCERT/CC organization.

Expected project

  • ISO 27001 Verification
  • Continuously strengthen the security of company information systems
  • Promulgate Information communication case and information security policy
  • Security vulnerability penetration and scanning
  • Exchange upgrade
  • File server system DR backup