Information security risk management
Introduction
The Company’s responsible unit for information security is the Business Management Center, which is led by the Assistant President. Consisting of an IT executive and several IT engineers, the Information Management Department is a subsidiary of the Business Management Center. It is in charge of formulating the Company’s information security policy, planning information security measures, and implementing information security operations.
The organization adopts the PDCA (Plan-Do-Check-Act) cycle management to ensure the goals are achieved and improved upon on an ongoing basis.
 
 
Information security management goals
1. Maintain physical environment security and the uninterrupted operation of various information systems
2. Prevent hacker/virus intrusion and sabotage
3. Prevent unauthorized and illegal use
4. Prepare for contingencies to facilitate quick recovery from a disaster
 
Information security facilities and management methods
1.Computer equipment security management
1.1 The Company is equipped with a dedicated data center to accommodate application servers and storage servers. Only authorized personnel may access the data center, which an access control card reader protects, and all entries and exits are logged.
1.2 The data center has an independent AC system to maintain the computer equipment at an ideal operating temperature. CO2 fire extinguishers are installed to put out general or electrical fires.
1.3 The data center is equipped with a UPS and voltage stabilizer, and it is hooked up to the Company’s power generator and power supply system to prevent system malfunction due to sudden blackout by the Taiwan Power Company. This also makes sure that the computer application systems will not be interrupted in the event of a blackout.
 
2.Network security management
2.1 The portal linking to external networks is equipped with enterprise firewalls to prevent hacker intrusion.
2.2 Taiwan plant and Ningbo plant are linked via site-to-site VPN, where data encryption is implemented to prevent unauthorized interception of data during the transmission process.
2.3 Colleagues logging into the Company’s intranet must first apply for a VPN account before they are granted access, and their log-in records are stored for auditing purposes.
2.4 Equipped with Internet access management and screening system to control Internet access and prevent employees from visiting harmful/prohibited websites or contents, thereby bolstering network security and inhibiting the inappropriate use of bandwidth resources.
 
3.Virus protection and management
3.1 The servers and terminals are equipped with endpoint protection software, where the anti-virus database is automatically updated to stop the latest viruses. At the same time, it can detect and prevent the installation of potentially hazardous executable files.
3.2 The email server is equipped with an email anti-virus and junk mail screening mechanism to prevent viruses or junk mails from reaching the user end.
 
4.System access control
4.1 Our colleagues must apply for system authorization according to the Company’s internal regulations to use various application systems. After approval is received from the direct supervisor, the IT unit will create a system account, where various system managers can allow the user to access various functions depending on the clearance granted.
4.2 To receive approval, the account password must comply with strength, character number, and case sensitivity/number/special character regulations.
4.3 When the colleagues submit their resignations, they must contact the IT unit to suspend various system accounts.
 
5.Ensuring the system’s sustainability
5.1 System backup: The off-site backup system has been implemented. Daily backups are made and sent to 2 plants regularly, while another copy is stored in the data center to ensure system and data security.
5.2 Disaster recovery drill: A drill is conducted for the ERP system every 6 months. A system restore date is selected and the backed-up media is restored to the system mainframe to verify the correctness of the restored data. The purpose is to ensure the correctness and validity of the backup system.
5.3 Two data links are leased from the carrier. The bandwidth management system is utilized to form a parallel link that can back each other up to ensure uninterrupted network communication.