Information security policy and management regulations

1. Purpose:

To strengthen information security management; to establish secure, reliable electronic operations platforms; to guarantee sustainable operations for data, system, internet, and related equipment; and to establish information management, exchange, and security control mechanisms, while also maintaining information security and operational efficiency, the Company's information security management policy is formulated.

2. Information security policy:

The information security management regulations, measures, standards, rules, codes of ethics, etc. established by the Company in order to achieve the goal of information security are the responsibility of the IT department. They are evaluated once per year, in order to guarantee the effectiveness of information security practices. In order to implement information security management, implementation operations are announced, on paper or electronically, to company employees, subsidiaries' employees, and suppliers who provide information services, for them to comply with.

2.1 Scope of information security management:

The Company's information security management covers six aspects of information security management, in order to avoid inappropriate use, disclosure, alteration, destruction, etc. due to human factors, malice, natural disasters, or other such causes resulting in risks and damage to the Company. The security management aspects are as follows:

  • Information security organization
  • Personnel security and management
  • Asset classification, control, and management
  • Physical and environmental security management
  • Communications and operations management
  • Access control
2.2 When Company personnel are discovered to have made a violation, a personnel review committee is convened. Based on the violation's severity, different degrees of punishment are enacted, e.g., warnings, admonitions, or infractions. Where the situation is severe, the employee is released from service, and related legal liabilities are investigated.
2.3 When violations by suppliers and external personnel are minor, a verbal warning is given and they are required to leave; where serious, further admittance is forbidden, and related legal liabilities are investigated.

3. Information security organization and data classification:

3.1 The IT department is responsible for setting the Company's policies related to information security:

3.1.1 IT department responsibilities:

  • Responsible for establishing and reviewing the Company's information security policy planning, and for reporting such to the chairman for approval and implementation.
  • Performing risk assessments for all information security measures.
  • Overseeing information security management measures, and performing information security policy compliance reviews.

3.1.2 Units that implement information security: Company as a whole:

  • IT department is responsible, along with the relevant units, for auditing all units' information security compliance.
  • IT department is responsible, in collaboration with business units, for implementing management and control of information system security.
  • Physical access controls are handled in accordance with the Door Access Management Regulations. Outsourcing, third-party, and cooperating partners:

Handled in accordance with agreement content and the Company's information security operations.

3.2 Data classification and control:

3.2.1 The Confidential Document Classification and Management Regulations are used as the standard for how data is classified.

3.2.2 In accordance with data classification and risk assessment, a suite of data protection measures that meet requirements shall be established.

3.3 Changes in computer information permissions all require filling out a Computer Service Request Form. The form must then be sent in electronic form to the supervising unit for sign-off, after which the IT department assists in modifying the permissions.

4. Personnel security and management:

4.1 Work manuals and data allocation security:

4.1.1 Personnel who can access confidential/sensitive information or systems are distinguished in accordance with their job duties and positions.

4.2 User training:

4.2.1 Personnel must understand their work unit's information security policy.

4.2.2 Messages about information security may be announced at any time.

4.2.3 Personnel shall be occasionally sent to participate in externally-held trainings, review sessions, and product demonstrations.

4.3 Security and failure reporting and handling

4.3.1 When a data security incident occurs, it must be reported to IT department personnel, and handling and follow-up must be recorded.

5. Physical and environmental security management:

5.1 Scope of security

5.1.1 management personnel must do all necessary restrictions and monitoring of activities by all personnel entering or exiting server rooms, system operating areas, and other major locations.

5.1.2 Entering or exiting a server room shall require filling out the Personnel Server Room Access Log; in addition to filling out the log information in detail, access to server rooms can only be in the company of IT personnel.

5.1.3 Accessible media must, in accordance with the retention regulations, be placed in secure environments.

5.1.4 Server room exteriors and interiors must be equipped with security cameras to monitor the server room exteriors/interiors and personnel coming and going; recordings must be stored a minimum of 30 days.

5.2 General control measures:

5.2.1 Portable computer equipment shall be equipped with rigorous protection measures, in order to prevent equipment from going missing and thus causing data leaks.

5.2.2 No information devices (including notebooks) carried by visitors may connect with the Company intranet without permission.

5.2.3 Management mechanisms shall be established to guarantee that all notebooks' and PCs' operating systems and virus pattern files stay constantly up to date.

6. Internet security and operational management:

6.1 Internet security planning operations:

6.1.1 Security control and management mechanisms shall be established for computer network systems, in order to guarantee network data transmission security, to protect network connections, and to prevent unauthorized system access.

6.1.2 Management of network users:

Authorized network users can only access network resources within the scope of their permissions. They shall not give their personal login credentials or passwords to others. It is forbidden to use illegal/improper data that violates copyright, good morals, or which may damage the network system's normal functioning.

6.1.3 Firewall security management:

The Company's network is divided into internal and external, publicly-accessible nodes. The firewall system and management/control mechanisms shall be regularly reviewed in terms of data security classifications, network equipment changes, and other circumstances, in order to respond to all types of emerging internet attacks.

6.1.4 Software download controls:

Software and data files downloaded from the internet may only be installed or run after it is confirmed that they are completely safe and do not infringe upon any intellectual property rights.

6.2 Server security:

6.2.1 Servers on which confidential or sensitive information is stored shall, in addition to the extant operating system security settings, have higher firewall or IDP protection in accordance with their security classification, to prevent illegal users from logging into the server and engaging in theft, destruction, etc.

6.2.2 For system servers that are responsible for critical operations, installation of highly reliable systems must be considered to avoid network attacks and interference.

6.3 Security management for email:

6.3.1 Email usage regulations shall be clearly specified in accordance with the information security policy.

6.3.2 Security management mechanisms shall be established for email, in order to reduce potential business and security risks brought by email.

6.4 Security management for internet usage:

6.4.1 The Company's externally-accessible information system shall have appropriate security protections and segregation, to avoid external actors directly entering the information system or databases and accessing information.

6.4.2 Potential security weak points due to new internet technologies shall be considered, and appropriate protection measures shall be taken to guarantee internal network security.

6.4.3 When applications run on a server need to receive user-returned data, implanted destructive commands and programs must be guarded against.

6.4.4 When the network cannot be used normally, substitute networks must be put in place to relieve connections and protect the continuity of communications.

6.4.5 Non-business-related internet activity shall be announced as forbidden, and shall be managed via application software.

6.5 Wireless networks:

6.5.1 Necessary security management mechanisms shall be added for use of wireless networks.

7. Access control:

7.1 User access management:

7.1.1 There shall be an application, management, and control process for review of user access permissions.

7.1.2 For user registration data, the following documentation materials shall be maintained and updated on a constant basis: The day after a user leaves their position, their user account(s) shall be closed, and it shall be periodically reviewed whether users have unused user accounts. The Company shall manage and control that, upon first logging into a computer system, users must immediately change their default passwords. Handling of lost passwords shall use a strict identity verification process.

7.1.3 Use of passwords must, in compliance with regulated deadlines, be changed every 90 days.

7.1.4 Access shall be set appropriately in the firewall, in accordance with environmental and business needs.

7.1.5 Limits shall be set that, when idle for a set period of time, logged-in users shall be logged out.

7.1.6 A log file of system logins and usage shall be kept, and dedicated personnel shall periodically review whether there have been any abnormalities.

7.1.7 Vendor-set default passwords must be immediately changed upon installation of vendor-provided software.

7.1.8 High-risk applications must be limited in terms of connection requests.

7.1.9 Specific permission management shall be set for all departments with regard to internet drives. When a permission changes, a Computer Service Request Form must be filled out. The form must then be sent in electronic form to the supervising unit for sign-off, after which the IT department assists in modifying the permissions.

7.1.10 Personal computers must activate their screensaver programs after 5 minutes lying idle. Clearing the screensaver shall require entering an account password, in order to prevent computer data being used by others without permission.

7.1.11 All computer systems' USB ports shall be open or closed depending on business needs, in order to prevent access to Company electronic data via USB devices.

We use cookies to improve your user experience and for web traffic statistics purposes. By continuing to use this website, you agree to our use of cookies. Our Privacy & Cookie Policy contains more information.