To implement sustainable development and protect the Company’s confidential information and customer privacy, Coretronic established an "Information Security Management Committee" in 2012 to execute information security policy dissemination and establish communication mechanisms. This effectively prevents information from being stolen, tampered with, lost, or omitted. Beside the confidentiality, integrity, and availability of information, it should also comply with ISO 27001 standards or relevant information security laws and regulations.
 

Information Security Management Committee

The Information Security Management Committee is responsible for reviewing information security governance policies, supervising the operation of security management, establishing comprehensive security protection mechanisms, enhancing employee awareness of information security, and conducting regular assessments of information security risks. Since 2020, the committee has been providing annual reports to the Board of Directors to update them on the progress and execution of these initiatives.

Information Security Policies

Pursuant to ISO 27001 and NIST standards, information security policies are formulated based on internal actual needs.

• Each unit of the Information Management Center has established relevant inventories of information assets and identified their owners. Based on the classification of information assets, risk assessments are conducted to identify risks that exceed acceptable levels. Risk management is then implemented to effectively mitigate those risks, and ongoing control measures are implemented to ensure continued risk reduction.
• Relevant personnel should undergo necessary assessments and sign relevant operational procedure documents. When there are changes or staff resignation, they should return their information assets. Both new and existing employees should participate in information security education and training to enhance awareness and concepts of information security protection.
• When entering or exiting the company building and information security control areas, relevant access control and belongings regulations should be implemented.
• It is strictly prohibited for employees to privately set up network devices to connect external networks and the company's internal network. Both internal and external networks should have firewalls, demilitarized zones (DMZ), and necessary security facilities. Important devices should have appropriate backup or monitoring mechanisms to maintain their availability. Employees' personal computers should have antivirus software installed and regularly update virus definitions, and the use of unauthorized software is prohibited.
• Employees should properly safeguard and use personal accounts, passwords, and permissions, and management personnel should regularly check and review them. Important system operation data should be regularly backed up and recovery tests should be performed.
• Security controls should be considered during the initial stages of system development. For outsourced development, control and contractual information security requirements should be strengthened.
• If employees encounter information security incidents, they should report them immediately and follow the procedures outlined in the information security incident handling manual to prevent the incidents from escalating. They should cooperate with relevant departments to resolve the incidents.
• Employees should implement confirmation and review mechanisms in their daily operations to maintain data accuracy. Supervisors should supervise the implementation of information security compliance and enhance colleagues' awareness of information security and legal concepts.
• Coretronic regularly reviews its information security policies in response to government regulations, technological advancements, and business developments. The Information Security Management Committee adjusts its objectives according to the information security policy to ensure the effectiveness of information security practices.

Information Asset Inventory Procedure

Information Security Risk Identification

• Policy : Based on the 14 control items and 114 control measures of ISO 27001, cybersecurity is strengthened from six major aspects: network security, host security, application system security, equipment security, and operation analysis and information security management. The risk improvement process is systematized and digitized, establishing a multi-layered cybersecurity defense architecture to enhance cybersecurity strength.
• Annual Goals : Set annual information security management goals, establish evaluation metrics based on their characteristics, and provide improvement recommendations for non-compliance or obvious risks through quantified indicators and standardized processes, which will be included in the tracking.
• Vulnerability Scanning : To address the ever-changing hacker intrusion methods, we regularly perform vulnerability scans on the systems related to our services, and all vulnerabilities will be remediated within three months.

Information Security Education and Training

• Security Training : "Information Confidentiality and Computer Network Usage Policy” courses were arranged for 220 new hired employees. Other courses such as "Information Security and Social Engineering Awareness", "Network Security and Computer Usage Regulations", and "Cybersecurity Education Training" were also offered, with a total of 721 participants.
• Security Announcements : Whenever a cybersecurity incident occurs at a partner company, a cybersecurity awareness announcement will be issued to remind employees of related risks, in order to avoid repeating the same mistakes and causing operational losses to the company. In 2023, 5 cybersecurity announcements were issued.
• Social Engineering Drills : Conduct 2 email social engineering drills for all groups of employees.

Information Security Measures

• Establishing a multi-layered defense security architecture, strengthening security through six major aspects: network security, host security, application system security, device security, operational analysis, and security management. 
• Strengthen the cybersecurity protection architecture, upgrade the forensic analysis platform, and make cybersecurity protection flawless.
• Stay synchronized with the International Threat Intelligence Center, update threat intelligence in real-time, and effectively block malicious connections and proactively hunt for suspicious behavior through the proactive alert analysis engine, coupled with cybersecurity experts conducting forensic investigations to reinforce the hacker defense system.
• In response to the update of the system for providing external services, starting from 2020, at least one platform vulnerability scan and one social engineering drill will be conducted annually.