Issue Date: August 3, 2023
To ensure sustainable development and safeguard the company's confidential data and customer privacy, Coretronic established the "Information Security Management Committee" in 2012. This committee is responsible for implementing information security policies and establishing communication mechanisms to effectively prevent information theft, tampering, loss, or leakage. In addition to ensuring the confidentiality, integrity, and availability of information, our efforts also align with ISO 27001 standards and relevant cybersecurity regulations.
Information Security Management Committee
The Information Security Management Committee is responsible for reviewing information security governance policies, supervising the operation of security management, establishing comprehensive security protection mechanisms, enhancing employee awareness of information security, and conducting regular assessments of information security risks. Since 2020, the committee has been providing annual reports to the Board of Directors to update them on the progress and execution of these initiatives.
Information Security Policies
Pursuant to ISO 27001 and NIST standards, information security policies are formulated based on internal actual needs.
- Each unit of the Information Management Center has established relevant inventories of information assets and identified their owners. Based on the classification of information assets, risk assessments are conducted to identify risks that exceed acceptable levels. Risk management is then implemented to effectively mitigate those risks, and ongoing control measures are implemented to ensure continued risk reduction.
- Relevant personnel should undergo necessary assessments and sign relevant operational procedure documents. When there are changes or staff resignation, they should return their information assets. Both new and existing employees should participate in information security education and training to enhance awareness and concepts of information security protection.
- When entering or exiting the company building and information security control areas, relevant access control and belongings regulations should be implemented.
- It is strictly prohibited for employees to privately set up network devices to connect external networks and the company's internal network. Both internal and external networks should have firewalls, demilitarized zones (DMZ), and necessary security facilities. Important devices should have appropriate backup or monitoring mechanisms to maintain their availability. Employees' personal computers should have antivirus software installed and regularly update virus definitions, and the use of unauthorized software is prohibited.
- Employees should properly safeguard and use personal accounts, passwords, and permissions, and management personnel should regularly check and review them. Important system operation data should be regularly backed up and recovery tests should be performed.
- Security controls should be considered during the initial stages of system development. For outsourced development, control and contractual information security requirements should be strengthened.
- If employees encounter information security incidents, they should report them immediately and follow the procedures outlined in the information security incident handling manual to prevent the incidents from escalating. They should cooperate with relevant departments to resolve the incidents.
- Employees should implement confirmation and review mechanisms in their daily operations to maintain data accuracy. Supervisors should supervise the implementation of information security compliance and enhance colleagues' awareness of information security and legal concepts.
- Coretronic regularly reviews its information security policies in response to government regulations, technological advancements, and business developments. The Information Security Management Committee adjusts its objectives according to the information security policy to ensure the effectiveness of information security practices.
Information Asset Inventory Procedure
Identification of Information Security Risks
- Policy : Based on the 14 control objectives and 114 control measures of ISO 27001, we strengthen information security in six major areas, including network security, host security, application system security, device security, operational analysis, and information security management. We streamline and digitize the risk improvement process, establish a defense architecture for information security, and enhance overall security level.
- Annual Goals : We establish annual information security management goals and develop evaluation metrics based on their characteristics. Through data-driven indicators and standardized procedures, we provide improvement suggestions and track non-compliance or explicit risks.
- Vulnerability Scanning : To address evolving hacking techniques, we regularly conduct vulnerability scans on systems that provide services. In 2022, a total of 57 system vulnerabilities were identified, and all of them were fixed within three months.
Information Security Education Training
- Security Training : We conducted the "Information Confidentiality and Computer Network Usage Policy" course for new employees, with a total of 1,069 participants. We also offered courses on "Information Security and Social Engineering Awareness" and "Information Security," with a total of 742 participants.
- Security Announcements : In the event of major security incidents at affiliated factories, we issued security awareness announcements to remind employees of related risks and prevent potential operational losses. In 2022, a total of six security announcements were made.
- Social Engineering Drills : We conducted one email social engineering drill for all employees within the group.
Information Security Measures
- Develop a layered defense security architecture to strengthen security across six major areas: network security, host security, application system security, device security, operational analysis, and security management.
- Enhance AI-driven security protection architecture and complement it with 24/7 emergency response measures and a forensic analysis platform to ensure comprehensive security coverage.
- Stay synchronized with international threat intelligence centers to receive real-time threat intelligence updates. Utilize proactive warning analysis engines to effectively block malicious connections and actively capture suspicious behaviors. Additionally, employ professional cybersecurity experts for forensic investigations to enhance hacker defense systems.
- To address system updates for external service provision, conduct at least one platform vulnerability scan and one social engineering drill annually since 2020.