Information security risk assessment analysis and its response measures
Our company maintains an unwavering attitude towards information security, with the information department establishing strict cybersecurity procedures. To enhance information security management, an information security management team was established in November 2020, responsible for overseeing the operation of cybersecurity management and regularly reporting to the auditing unit. In accordance with relevant laws and regulations and the company's operational needs, the "Information Security Management Measures" have been formulated for all employees to follow.
Information Security Policy
Our company's information security management mechanisms mainly include technology utilization, data confidentiality, personnel training, and legal compliance.
1.Technology utilization: Timely vulnerability scanning of network equipment, servers, and terminals is conducted, followed by patching operations to implement cybersecurity management measures.
2.Data confidentiality: The company has introduced a document encryption mechanism, using a tiered document permission system to prevent sensitive data from being easily leaked.
3.Personnel training: All new employees must participate in information security education and training to establish the concept that "information security is everyone's responsibility." The cybersecurity team also periodically sends internal educational emails to all colleagues and promotes cybersecurity precautions based on the latest cybersecurity situation, enhancing and strengthening personnel's awareness of cybersecurity.
4.Legal compliance: The company has established multiple relevant cybersecurity regulations and systems to regulate the information security behavior of company personnel and provide appropriate protection measures for the company's information assets.
Evaluate the extent to which information security risks may adversely affect business operations and plan controls for information security checks:
1. Transfer the information system service to the cloud server room.
2. Install anti-virus software.
3. Set up network firewall.
4. E-mail management control.
5. Security control of files and equipment.
Our company has included information security inspection operations as an annual audit item, with the audit unit conducting at least one audit per year. Up until the most recent annual report printing date, there have been no significant cybersecurity incidents affecting the company's operations.Our company has reported the status of information security implementation to the Board of Directors on March 3, 2023.
In response to the measures:
(1) We have dedicated personnel to handle matters related to information system security prevention and crisis management to prevent computer network crimes and crises and maintain system security.
(2) To educate employees on the concept of proper use of legal software, to promote proper awareness of the threat of computer viruses, and to further raise employees' awareness of information security.
2023 Information Security Implementation Status Report:
項目 | 內容 | 執行情形 |
| Information Security Policy and Objective Setting | Establishment and Approval of Information Security Policy | This policy was approved by the General Manager and passed by the Board of Directors, established on July 29, 2022. |
| Setting of Information Security Objectives | Already set in the "Information Security Policy." | |
| Promotion of Information Security Policy and Objectives | Conducted the promotion of Information Security Policy and Objectives on February 14, 2023. | |
Regular Review of Information Security Policy and Objectives | Conducted quarterly. For this quarter, the review was completed on January 11, 2023. | |
Dedicated Personnel Allocation | Dedicated Personnel Allocation | Our company currently has designated positions for an "Information Security Director" and "Information Security Staff" |
| Information and Communication Security Education and Training | Regulations Employees Must Follow | (1) Computer data and equipment must not be arbitrarily damaged, taken out, lent, or improperly modified to maintain data integrity. (2) Prohibition of using unlicensed software. (3) After accessing the mainframe, if the operation is completed or the machine is not used for a long time, users should log out to prevent data leakage, destruction by others, or causing the machine to crash. (4) When leaving the company or during the handover of old and new duties, the information department should evaluate the relevance of the data for appropriate handling. (5) If computer equipment is not functioning properly, users should immediately notify the information department for inspection or repair. |
| Information and Communication Security Education and Training Requirements | New employees are required to sign a confidentiality agreement and undergo information and communication security education and training. | |
| Conducting Information and Communication Security Education and Training | Information and communication security education and training was conducted on February 3, 2023. | |
| Information and Communication Security and Information Personnel | 1.Registered for the course "Audit Control Practices for Information Security by Internal Auditors" on July 8, 2022. | |
| Internal and External Audit | Internal Audit | Our company's audit department serves as the checking unit for information security supervision. Internal audits have been conducted in accordance with regulations on relevant internal control procedures to reduce internal information security risks. |
| External Audit | An external audit was conducted from December 14 to December 16, 2022, by PwC Computer Auditing, to comprehensively inspect the company's information security and ensure the integrity of information security. | |
| Concrete Information Security Management Plans | Antivirus Software | Our company's computers are uniformly equipped with antivirus software. Regular updates of virus definitions and timely checks for website and software security are ensured. |
| Email Control | Email security protection system includes spam filter, malicious email detection, and email outbound audit among other management functions, enhancing overall email information security. | |
| Firewall | Internet usage is restricted through firewall network policies, controlling the company's external network and prohibiting employees from accessing non-work-related cloud storage, social networking sites, instant messaging, and other external services. | |
| System Access Control | 1. The principle of least privilege is adopted to manage internal system and data access rights. Personnel cannot use unauthorized system functions or view system data not required for their duties. 2. Software installations require manager accounts to ensure compliance with company software licenses and reduce the risk of viruses and backdoors. 3. User passwords must adhere to security principles, with requirements for length and complexity, and users are required to change their system passwords regularly. | |
| Document Encryption System | 1. Documents must go through the audit process for decryption before they can be sent out or printed, limiting file access after document leakage. 2. Company USB data control. Employees can only use company assets and registered USB drives, preventing the use of personal storage devices to secure company confidential information. | |
| Data Backup | Information systems establish corresponding backup and contingency mechanisms and off-site backup measures based on their importance. Disaster recovery drills are conducted annually to ensure the normal operation of backup mechanisms. |
律勝台灣總公司:台南市善化區南科九路8號
聯絡電話:(886)-6-5050662
傳真電話:(886)-6-5050672
台灣區業務:(886)-6-5050662 ext. 507
---------------------------------------------
律勝蘇州廠:江蘇省蘇州工業園區蘇虹中路45號
聯絡電話:(86)-512-8818-1166
傳真電話:(86)-512-8187-8043
中國區業務:(86)-512-88181166 ext. 8443
