Cyber security management

Date:2023/12/27

The objective is to strengthen information security management, ensuring the confidentiality, integrity, and availability of information assets, to provide an information security environment that enables the continuous operation of information-related business activities. This includes compliance with relevant laws, regulations, and contractual obligations to protect against intentional or unintentional threats from internal or external sources.

 

  Organization and Responsibilities

  • Structure of cyber security management

    資訊安全組織圖
     
  • Authorities and responsibilities
    The director of information security is appointed by the board of directors to coordinate and discuss matters such as the management system of the information security system and resource allocation. The information security and personal information management promotion team is appointed by the heads of the highest units to be responsible for the establishment, implementation and maintenance of various standard systems for information security and personal information.
  1. Operated pursuant to the procedures for appointment of the promotion team for management and review, and the members of information security and personal information management promotion are announced.
  2. Description of responsibilities for ISMS members at the management posts
    (1). Board of Directors
    1. Appointment and dismissal of Chief Information Security Officer.

    (2). President
    1. Allocate the organizational responsibilities and resources.
    2. Approve and promulgate the Company's information security policy.

    (3). Chief Information Security Officer (collectively referred to as management representatives) / heads of units 
    1. Convene and chair management review meetings and report results to the top management.
    2. Ensure that the ISMS management system is established, amended and functioning properly pursuant to the ISO27001 policy.
    3. Promote the approval of the ISMS system objectives and ensure the establishment of the review framework.
    4. Resource acquisition, allocation, coordination and supervision of ISMS management system related affairs.

    (4). Process Management Committee (Division-level officer of each unit)
    1. Implement the information security management system at all levels of the organization.
    2. Review, implement, and maintain the procedures and documents for the information security management system.
    3. Internal audit control and follow-up review.

    (5). Information Security and Personal Information Management Promotion Team 
    1. Establishment, implementation, and maintenance of the procedures and documents for the information security management system
    2. Define and update the relevant laws and regulations.
    3. Amend the Statement of Information Security Applicability
    4. Implement the information security management system for colleagues in the same unit.
    5. In charge of the processes of information asset inventory, risk assessment, risk treatment, and residual risk treatment.
    6. Implement risk treatment measures and secure resources for risk treatment measures.
    7. Plan, execute and maintain the emergency contingencies and disaster recovery.
    8. Responsible for reporting information security incident and incident emergency contingencies.
    9. In charge of the continuous improvement, corrective and preventive measures of information security incidents.
    10. Responsible for the formulation, amendment and maintenance of the continuing operation plans.
    11. Information security incident management, including network, website, data center and others matters affecting business operations...etc.

    (6). Internal auditors
    1. Appropriate information security auditors shall be arranged pursuant to the education and training management operations, and the internal quality audit operations shall be complied with for the ISMS audit plans and executions.

    (7). Quality assurance section
    1. Responsible for activities related to the document control center.
    2. Establishment, implementation, and maintenance of the procedures and documents for the information security management system
    3. Lead, plan and execute internal and external audits and continuous improvement activities for processes.

 

  Information security policy

Maintain the confidentiality, integrity and availability of information assets and comply with any information security related laws, decrees, regulations or contractual obligations and any security requirements. 

 

  Mobile device policy

  1. Mobile information devices, including tablet, laptops, flash drives, flash hard disks or computer peripherals, optical discs, among other things, must not be used to leak unauthorized confidential or sensitive information.
  2. All removable media such as optical discs, flash drives, and flash hard disks should be properly used and stored to prevent unauthorized disclosure, modification, removal or destruction of information.
  3. To use mobile information devices and wireless networks, login with an account and password is required.
  4. If any mobile information equipment is shared, it should be ensured that only the shared applications and software are retained, and the temporarily stored data should be cleared by the user after use while refreshing all the time to avoid unauthorized access to the data from occurring.
  5. Where a shared mobile information device needs to be outsourced for repairing or scrapped in case of dysfunction, the sensitive information stored in it should be cleared, and the information device maintenance operation or outsourced information service operation in the procedures should be complied with.
  6. Mobile information devices or removable media should be scanned for viruses or installed with anti-virus software before being used and accessed with appropriate access control authority.
  7. Mobile information devices or removable media should be kept safe during remote working or transmission, to avoid unauthorized access, misuse or damage.
  8. If any removable media is no longer used or scrapped, it is required to verify and complete the data clearing action.

 

  Access control policy

  1. The access to information assets should be mainly related to the scope of their own business, and no access information assets outside the scope of business without authorization is permitted.
  2. Information assets should be used properly to maintain their availability, integrity and confidentiality.
  3. The system access account should not be provided to others unless the business requires. If an account is opened due to business requirement, appropriate security control measures should be taken. Such security control measures should take the business needs and the confidentiality of information assets into account for granting appropriate access and expiry.
  4. Prudently assess the specific personnel with the highest authority in system management, in charge of important technologies and operation control.
  5. It is prohibited to use mobile information devices to outflow unauthorized documented information, including confidential or sensitive information, or malicious virus transmission, such as tablets, laptops, flash drives, external hard drives, CDs, and tapes.
  6. Access to data and information must comply with the "Personal Data Protection Act", " Electronic Signatures Act" and "Intellectual Property Rights" and other related laws and regulations, or the contractual provisions regarding the data protection and data access and use control.
  7. The access of the utility paths should be properly controlled, and access by general users is prohibited.
  8. Appropriate control procedures should be in place for unattended information asset devices to prevent unauthorized access or misuse.
  9. Personal desktop computers and portable computers should be set to automatically clear the information on the screen and log out, or lock the system after being idle fir a certain period of time to avoid unauthorized access (no more than ten minute).

 

  Password control policy

The password is mandatorily changed every six months. After the setting is completed, please keep it safely to avoid easy access by others. 

 

  Desktop clearance and screen clearance policy

  1. Document records should be archived upon leaving the office and placed in file cabinets.
  2. Extremely confidential or confidential documents and records should be archived at any time, placed in file cabinets, and kept by the designated personnel.
  3. Removable storage media, such as flash drives, CDs, among other things, should be stored properly.
  4. When leaving the work, keep personal desktop clear.
  5. At the end of the meeting, please clear the record on the writing board.
  6. The environment where printers and fax machines locate should be kept clear at all times.
  7. The screen needs to be set up with a screen saver for no more than ten minutes of being idle.
  8. When leaving the seat, the PC should be kept logged out or protected by mechanisms such as screen and keyboard locks.

 

  Information exchange policy

  1. When using electronic transmission media to transmit data, do not arbitrarily use illegal and improper transmission media for convenience.
  2. Do not use any transmission medium to disclose confidential or sensitive information in the data center to other organizations or persons through data transmission, messaging, speech or video.

 

  Safe development policy

  1. The development of application system should consider its availability, confidentiality and integrity.
  2. Ensure the security of application system development, testing, onboard and maintenance.
  3. Regardless of the type of project, information security risks and related information security issues should be considered, including ISMS requirements and the control requirements of the Appendix A.

 

  Information security policy for supplier relations

  1. Ensure that information security-related requirements are promised in the contract or agreement.
  2. Fully manage supplier deliveries, services and changes, taking their operational risks into account, and be consistent with contracts or agreements.

 

  Goals of information security

  1. To protect the confidentiality of information and prevent illegal use.
  2. Ensure the availability and integrity of information assets.
  3. Ensure the effectiveness and continuity of information business operations.
  4. Ensure that employees have a certain understanding of information security.
  5. Ensure that information security measures meeting the requirements of policies, laws and regulations.

 

  Cyber security risks and responding measures

MDS has established the comprehensive network and computer-related information security protection measures, and has set up dedicated (responsible) information security personnel. In addition to maintaining the Company's internal information security system operation, they also join Taiwan Computer Emergency Response Team (TWCERT) to collect relevant intelligence and information, and takes corresponding measures against potential information security risks and loopholes, while adjusting the control measures of the information security maintenance plan when necessary. In order to strengthen the information security awareness and avoid the intrusion of phishing emails, the Company regularly carries out information security education, training and promotion, and commissions the information security company to implement social engineering drills to enhance the information security vigilance of employees.

 

  Invested resources in the cyber security management

  1. The Company has introduced the ISO 27001 information management system in 2014 and obtained ISO 27001 certification regularly. The UKAS certificate ID (Certification ID: TW14/10547) and TAF certificate ID (Certification ID: TW20/00304) are valid from August 12, 2023 to October 31, 2025. Through the introduction of the ISO27001 information security management system, the capability to respond to cyber security incidents is strengthened, and the security of the Company and customers’ assets is protected. Url to inquire the validity of certificates:  https://www.sgsgroup.cz/en/vr/certified-client-directory
  2. Join the TWCERT membership, regularly collect threat intelligence and information, conduct risk assessment based on the content of the information, to adjust system architecture configurations, and strengthen protection against information security threats.
  3. In 2021, a third-party information security company was commissioned to implement the information security scanning and health checks, to identify potentially dangerous servers and personal computers, remove the dangerous and suspicious objects, with the 100% improvement completion rate for high-risk projects as the implementation of information security.
  4. In 2022, the three-hour of social engineering training to employees was implemented, with 784 employees participated; a third-party information security company was commissioned to implement the email social engineering drills, a total of 784 accounts tested.
  5. In 2023, the ThreatSonar Anti-Ransomware cybersecurity defense service platform was introduced, which includes a managed detection and response (MDR) platform. The platform's features combine threat intelligence analysis, real-time monitoring, APT (Advanced Persistent Threat) protection, ransomware defense, and threat intelligence sharing, creating a robust cybersecurity defense platform for organizations.
  6. In 2023, the three-hour of social engineering training to employees was implemented, with 809 employees participated; a third-party information security company was commissioned to implement the email social engineering drills, a total of 809 accounts tested.
  7. In 2024, the three-hour of social engineering training to employees was implemented, with 810 employees participated; a third-party information security company was commissioned to implement the email social engineering drills, a total of 810 accounts tested.

 

  Major Information Security Incident

List any losses suffered by the Company in the most recent fiscal year and up to the annual report publication date due to significant cyber security incidents, the possible impacts therefrom, and measures being or to be taken. If a reasonable estimate cannot be made, an explanation of the facts of why it cannot be made shall be provided: In order to ensure that when an information security incident occurs, the company can promptly report it according to the procedure, take necessary contingency measures and establish an incident learning mechanism, formulate information security incident management procedures, and report and deal with different incidents according to different levels. At present, no incident has occurred for major information security incidents, although the enterprise anti-virus system is deployed, there are still sporadic virus infections and malware incidents. After the information security personnel dealt with it, all abnormal incidents were ruled out. Although the integrity of the data and confidential information were not affected, it caused interruptions and delays in the work of some colleagues, but no loss of business was caused.