Where to buy | Partner Portal | eShop
Corporate Governance Financial Information Shareholder's Meeting Investor Event Stock Information Latest News Contact Information
Corporate Governance Financial Information Shareholder's Meeting Investor Event Stock Information Latest News Contact Information

Cyber Security Management


 

1. The cyber security risk management framework :

• The interdepartmental Information Security Management Committee of the company assigns the President as the Committee Head, who assigns the Global Information Security Division Chief as the management representative for the planning and promotion of information security policies and management regulations. The Chief of Global Information Security Division reports to the Committee Head and manages information security supervisors to coordinate with the General Management Division, the Global Human Resources Division, the Quality Assurance Division, and the Cyber Security Department to form a task force that is responsible for the establishment and implementation of management regulations. Each first-level department under the President assigns an information security representative to participate in the discussions to establish management regulations. The representatives relay the comments of their respective departments and assist in the promotion of regulations upon approval. With these measures, the effectiveness of information security management of the company is secured.
• The Information Security Management Committee is responsible for the establishment as well as the periodic reviews and corrections of information security management policies and management regulations.
• The Information Security Management Committee convenes review meetings regularly to ensure the smooth operation of management mechanisms and reports to the Board of Directors every year.
• The Global Information Security Division encompasses the Information Security Department and Chief Information Security Officer. It oversees all information security-related policies, their implementation, as well as the planning and deployment of a defensive framework for information security.




2. The cyber security policies

“Risk management through legal and regulatory compliance, reinforcing risk protection and response measures, archiving and backing up sensitive documents: everyone is responsible for information security”

• To ensure the confidentiality, integrity, and availability of the company’s information as well as the regulation compliance of the management systems and procedures.
• ATEN reinforces its information protection capability and strengthens its core information communication system from four major aspects: organization, personnel, procedure, and technology to ensure continuous operations.
• ATEN regularly responds to the internal and external changes of information security and reviews the effectiveness of its risk management measures and information security incident response handling procedures.
• ATEN implements the protection of sensitive information and the backup/recovery of data to avoid information assets being misused, tampered, and damaged by human negligence, intentional conduct, or natural disasters, which in turn affects the normal operation of its business and results in the loss of company rights and competitiveness.
• ATEN properly protects the information and privacy of its customers regardless of the region or country they are located at, and whether or not relevant legislation exists in these regions.
• Colleagues should properly participate in the education and trainings held by the company to increase their information security awareness and personal protection capabilities.

To further enhance information security management, a sound Information Security Management System (ISMS) was put into place. ATEN obtained ISO 27001 certification in 2022 and the certificate is valid from October 2, 2022, to October 2, 2025. By establishing this information security management system and implementing the PDCA (Plan Do Check Action), ATEN will continue to enhance its daily management of information security and its abnormal incident response capability to protect its information assets and ensure its competitiveness.


3. Concrete management programs

(1). Information security awareness education and training
Regularly implementing education and trainings on information security, and recording online education and training courses to increase colleagues’ knowledge in information security and help them make the right choices.

(2). Information system security management
A. Installing anti-virus software on the company’s servers, personal computers, and laptops, and automatically updating virus codes and regularly reviewing their update status.
B. Delivering patches for security vulnerabilities to the company’s servers, personal computers, and laptops in a timely manner to ensure the completion of security patches.
C. Installing information security models in the email system, including trash mail filtering, malicious email detection, and email backup for auditing to increase overall email information security.
D. Conducting data backup for application systems and databases every day that complies with the 3/2/1 data backup principle (3 copies of backup, 2 types of storage media, 1 copy of off-site storage) in addition to implementing system data recovery drills every year and monitoring the results of daily backup to ensure data storage security.
E. In terms of the company’s flash drive information control, an asset management system is used to restrict employees. Employees are not allowed to use personal storage devices and are only allowed to use company assets and registered flash drives to ensure the security of classified information of the company.
F. Each department removes their administrator rights, uses legal software authorized by the company, and complies with relevant regulations. Any unauthorized software that is irrelevant to the business cannot be installed to ensure the regulation compliance of company software authorization and reduce the risks of viruses and spyware due to the use of illegal software.
G. Carefully assessing the possible security risks beforehand and signing the appropriate information security confidentiality agreements with manufacturers when outsourcing information system businesses.

(3). Network security management
A. The external service application system of the company utilizes fire walls to isolate itself from the Internet and limit the access end to block malicious connections. Abnormal connection reports are also reviewed regularly.
B. The external network of the company has seven layers of fire walls that filter all packets and traffic and block all traffic that poses threats to the security of the network. Anomaly reports are also reviewed and analyzed regularly.
C. Installing network behavior control equipment to the external network and ban employees from connecting to external services that are not related to work such as cloud storage spaces, emails, social networks, instant messengers, and streaming media.
D. Controlling private wireless networks and 4G signals in the internal office areas of the company to avoid company data from leaking out via personal wireless devices and blocking illegal external wireless devices.
E. Controlling employees’ personal computers, and detecting and blocking computer devices that are not authorized by the company to avoid personal equipment connecting to the company network and stealing confidential data of the company.
F. Building internal fire walls and successfully protecting important information of the company’s departments, preventing external hacker attacks and controlling application program access.
G. Managing the behavior of sharing data with external sources via company laptops to avoid employees from carrying out laptops and leaking important classified information of the company.

(4). System access control
A. For new hires, personnel adjustments, and employment terminations, applications must be filed on the system to notify the Global Information and Cyber Security Division to add new users, adjust or delete the access rights of employees.
B. Accounts and passwords must be set for information systems, and the setting of user passwords should comply to the required length and complexity of the security principles. Users should also change their system passwords regularly.
C. Based on their work demands, users log in to the internal application system and apply for IT services, the relevant supervisors review the applications, and the Global Information and Cyber Security Division sets the system access rights for users.
D. In terms of the establishment and maintenance of systems for manufacturers, the scope of system access rights should be drawn out, and the granting of long-term system accounts and passwords should be prohibited. The access rights of short-term or temporary system accounts and passwords for manufacturers based on the actual operational needs should be immediately terminated after use. Users should log in to the system to apply for these short-term or temporary accounts and passwords.

(5). Information security sustainable operations and management
A. The Information Security Management Committee has been established to formulate and promote information security policies and management regulations, discuss information security issues and countermeasures, and require employee compliance to maintain the company’s information security. Routine operation and maintenance of information security is the responsibility of the Information Security Department.
B. ISO 27001:2013 certification was obtained in 2022. Comprehensive rules and enforcement of management procedures will further strengthen information security management systems in order to ensure the safety of Company and customer information assets.
C. In the event of information security incidents, contingency protocols should be followed and the relevant department supervisors and personnel of the information security department should be informed to conduct appropriate handling and fast recovery operations.
D. The Global Information and Cyber Security Division regularly assesses the possibilities of information security risks leading to damages, and joins the appropriate information security insurance if necessary to reduce the risks and losses generated by information security incidents.


4. Investments in resources for cyber security management

The company has built a defensive information security protective mechanism to avoid the suspension of business due to information security issues, ensuring the continuous operation of its operations and effectively supporting its operational performance.
From the perspective of defense levels of information security, defense levels can be divided into network, endpoint, data, and cloud. Information security-related resources invested in the strengthening of each level include:

• The establishment of the first and second fire walls, blocking of wireless access points, blocking of connections from non-ATEN computers, reinforcement of encryption certificates, and establishment of network quality monitor signboards, introduction of MFA two-factor authentication, establishment of a WFH connection structure that complies with information security regulations, and establishment of network anomaly detection and response (NDR) mechanism.
• Implementing software patches and the management of monitor boards at servers and user ends, controlling the data sharing among endpoints to stop viruses from spreading, and establishing failover cluster structures for important system services to ensure the availability of services.
• Establishment of endpoint detection and response (EDR) mechanism to effective monitor abnormal behavior at end points, determine whether it is a hacker attack and respond in a timely manner for risk prevention.
• Implementing 3/2/1 backup operations and establishing monitor boards. Implementing disaster recovery drills and establishing monitor boards. Managing USB data export and sent emails. Planning for the introduction of sensitive information protection platforms.
• Initiation of cloud-based WAF.
• Personal data is now encrypted and access restrictions tightened during processing and storage.

In addition to strengthening the information security management system in accordance with the ISO 27001 management procedure:
1. Annual vulnerability scans are scheduled ad corrective action taken on high-risk items identified during the scan. The quality of information security protection is being continuously strengthened through further upgrades.
2. Social engineering drills are scheduled to boost employee information security awareness and protect personal computers against phishing e-mail attacks. Employees are tested on their information security alertness and provided with appropriate information security education.

To keep up to date on the latest information security developments, ATEN has also obtained access to the resources and experiences of information security alliances in the public and private sectors:
1. ATEN is already a corporate member of TWCERT/CC (https://www.twcert.org.tw/)
2. The Chief Information Security Officer has become a member of the Taiwan Chief Information Security Officer (https://ciso.tca.org.tw/) and external threat intelligence provided by information security vendors are also taken into account. Risk assessment is carried out based on the contents of the intelligence and response strategies developed. Information security personnel check and track the outcomes for each piece of intelligence in order to strengthen our protection against external information security threats. ATEN has established an online course for “General Education and Training in Information Security” that is now designated as a mandatory course for all employees. All employees completed the training in 2022.