Cyber Security Management

EDT / Cyber Security Management

Cyber Security Risk Management Framework

EDT appoints the top manager of the Management Information System Department as the head of cyber security, and establishes the “Cyber Security Committee” and a “Cyber Security Implementation Team” to consolidate our cyber security. The “Cyber Security Committee” is convened by the head of cyber security, and each unit within EDT:Audit Office, Management Information System Department, Administration Department, Legal Affairs and Market Department appoints one person as a committee member. The “Cyber Security Implementation Team” is assigned by the convener to serve as team members from the Management Information System Department, who are responsible for planning and implementing cyber security operations, mainly cyber security prevention and incident handling.

 

The cyber security policy is formulated by the “Cyber Security Implementation Team” and is approved by the “Cyber Security Committee”, and management review meetings are held regularly or the applicability of policies are re-evaluated when there are major changes in the organization (such as organizational adjustments, major business changes, etc.) Appropriate revisions of the cyber security policy will be made in accordance with latest assessment results, relevant laws, technologies, and business developments so as to be in compliance with actual needs. Meanwhile, the “Cyber Security Committee” makes regular reports of the cyber security risk management to the Board of Directors each year, thus strengthening supervision and management of directors to operations of EDT.

Cyber Security Policies

全台晶像晶像股份有限公司內容
ItemsContents
Policy ObjectivesThis policy is formulated by EDT in order to achieve the following operational and management objectives:
  • EDT's informatization operations can continue to operate uninterruptedly, maintain the effectiveness of internal system management, and improve the quality of information services.
  • Ensure the confidentiality, completeness and correctness of all information processed and used.
  • The business processes related to the collection, processing and use of personal information comply with the requirements of the Personal Data Protection Act.
Applicable ScopeAll employees of EDT, business partners, outsourced service providers, visitors, users of the EDT's information services, etc.
Policy Requirements
  • EDT shall implement the compliance of relevant laws and regulations, including intellectual property protection law, personal data protection law, and agreements and contracts signed with external units.
  • Both the Management Information System and Administration Department are responsible for promoting the planning, implementation, communication and coordination of relevant management systems, and actively handling education, training and publicity on cyber security and personal data protection to ensure that personnel are familiar with the security responsibilities of business execution.
  • The information assets held by employees for the execution of EDT's business are based on the principle of public ownership, and are classified, graded, and risk assessed according to their needs to achieve effective controls. Information operations are planned according to the actual needs of business execution for continuous management of operations so as to ensure the availability of information operations.
  • The physical office environment and important information equipment rooms are subject to access control to maintain the safety of the environment.
  • To prevent computer viruses and malware affecting operations, except for legally authorized systems and application software, the use of other unauthorized software is prohibited.
  • To ensure the effectiveness of the management system, those who violate the relevant procedures and norms of the management system shall be reviewed and punished in accordance with relevant regulations.
Responsibilities
  • EDT has established a management organization to coordinate the promotion of relevant management systems.
  • The management should actively participate in and support the management system and adopt appropriate standards and procedures to implement this policy.
  • All employees of EDT, outsourced service providers, and visitors shall comply with this policy.
  • All employees of EDT and outsourced service providers are responsible for reporting information security incidents or weaknesses through an appropriate reporting mechanism.
  • Any act that endangers cyber security and personal information protection will be investigated for civil, criminal and administrative liabilities depending on the severity of the circumstances.
Implementation and RevisionThis policy shall be reviewed and approved by the Cyber Security Committee and shall be implemented after approval by the General Manager;the same applies when the policies are amended.

Concrete Management Programs for Cyber Security

EDT considers that cyber security insurance is still an emerging type of insurance, involving cyber security level testing agencies, claims identification agencies, and non-claim conditions and other related supporting facilities. Therefore, after the evaluation by the Cyber Security Committee, the purchase of cyber security insurance is temporarily not recommended. At present, our main measures and implementation of cyber security risk management are as follows, which have effectively protected cyber security, and submitted to the Board of Directors on November 2, 2023:

項目具體管理方案
ItemsManagement Programs
Firewall protection
  • The firewall sets the connection rules, and by default, only the basic network and email connections are opened.
  • If there are special connection requirements, it can only be opened with the approval of senior management.
  • Monthly monitoring and analysis of the number of attacks to the firewall.
User access control mechanism
  • Use an automatic website protection system to monitor users' online behavior.
  • Automatically filters users from websites that may be linked to Trojan horses, ransomware viruses or malicious programs.
  • It is forbidden to use instant messaging software, Web mail, network hard disks, file transmission and other network services without approval.
Wireless network control mechanism
  • The wireless networks are only available for use on mobile devices such as business laptops and mobile phones and tablets, and can only be opened after the approval of senior management.
  • The wireless network needs to lock the device MAC code to ensure that only approved devices can use it.
  • According to the user's device and requirements, set the permissions of different SSIDs to control the connected host.
Security control of information room
  • There is an access control system for entering and exiting the computer room, and the employee identification card is required to enter and exit, and no entry is allowed without permission.
  • The computer room has a UPS(uninterruptible power system) which can automatically shut down the server in case of abnormal power failure to protect the server system from breakdown due to power failure.
Anti-virus software
  • Use a variety of anti-virus software to distract from the chance of new virus poisoning.
  • Regularly update the virus pattern of the anti-virus software to reduce the risk of poisoning.
USB disk access control
  • The user's computer is prohibited from using USB devices by default, and the use of USB devices for official needs can only be opened after the approval of the department head and the General Manager.
  • USB devices can only be used after they have been certified by Management Information System Department, and uncertified USB devices cannot be used even on a computer permitted to use USB devices.
Operating system updates
  • Major and security updates of the operating system are uniformly controlled by the automatic update system and automatically delivered and installed to all users' computers.
  • Management Information System Department shall assist those who have not updated for any reason in the update.
Email security control
  • Automatic email scanning threat protection protects users from unsafe attachments, phishing emails, and spam before they receive emails, and expands the scope of protection against malicious links.
  • When a personal computer receives an email, the anti-virus software also scans it for unsafe attachments.
User email security control
  • It can count the number and details of the user's external email sent and received, monitor the abnormal sending and receiving status, and avoid the leakage of confidential information.
Website protection mechanism
  • The website has a firewall to block external cyber attacks.
  • The website has an anti-scribbling mechanism, which automatically corrects the tampered content.
High availability reinforcement system
  • All important information systems have established a high-availability mechanism. In the event of a system failure, the system can be restored in the shortest possible time.
Information system and database backup mechanism
  • Databases of important information systems are set up with daily full backups and hourly differential backups.
  • Information systems are fully backed up once a day.
Off-site storage
  • The backup files of the server and various information systems are stored separately in the information rooms of different factories.
Important file upload server
  • The important files of each department shall be uploaded to the server which is stored and backed up by Management Information System Department.
Information center check form
  • Use the form to record computer room temperature, data backup, anti-virus software updates, network traffic, etc.
Employee information security awareness advocacy
  • New employees are required to sign the "Employee Information Operation Statement" to understand the sending, receiving and accessing specifications of various internal and external information of the company.
  • Announcements will be issued from time to time to encourage employees not to open suspicious emails or attachments at will, as well as anti-leakage publicity briefings.

Investments in Resources for Cyber Security Management

  • The Management Information System Department set up a total of 3 people responsible for the management of cyber security.
  •  

  • Assisted by professional information security vendors to provide firewall connection rules backup and management consulting, anti-virus and backup system authorization and management consulting, and advanced integrated endpoint protection services, etc. Aforementioned expenditure totals NT$582 thousand each year. In addition, the purchase of anti-virus software was NT$304 thousand, the backup software license was NT$93 thousand, and the purchase of backup servers and other related hardware equipment was NT$140 thousand.
  •  

  • Relevant “information security education and training” is implemented to all employees for two hours each year, totaling 903 people and 1,806 training hours. The completion rate was 100% in 2023.