Cyber Security and Personal Data Protection

Management Approach

1. Policies, procedures and practices related to information security and data privacy are established in accordance with international standards, serving as the operational framework within the organization.
2. A working committee for information security management systems is appointed to drive the organization’s information security system to ensure its stability, security and compliance with international standards.
3. Risk assessments for information security and data privacy are conducted and security measures are put in place to prevent cyber threats and mitigate risks related to the leakage of personal data and critical organizational information.
4. Awareness of information security is raised among all employees, with regular communication and dissemination of critical information, as well as consistent alerts about potential threats.

Operations and Performance

Information Security Management System Policy

The Company has established an Information Security Management System Policy Statement to define the direction, principles and framework for managing information security. It also aims to proactively raise awareness and promote adherence to policies, operational procedures and relevant laws concerning information security.

Structure of Information Security Management System

Click to Enlarge

The company prioritizes data security and privacy issues, thus the Board of Directors, led by the Chief Executive Officer (CEO), has resolved to appoint a working committee for the Information Security Management System. This committee is responsible for driving the organization’s information security management system to ensure its stability, security and compliance with international standards. The committee continuously evaluates and controls information security risks across the organization, develops and improves operational procedures and response measures and ensures that all personnel are informed and adhere to these measures. The committee also tracks and reports the progress of the information security management system to the Board of Directors for continuous awareness. Furthermore, efforts are made to enhance knowledge and understanding and to disseminate critical information on information security to personnel at all levels, thereby raising organizational awareness of the related risks

Information Security Risk Assessment

Currently, cyber threats come in various forms, are complex and occur more frequently. Therefore, the company must conduct thorough and continuous risk assessments, categorizing the risks into 2 areas: 1) information technology system risks and 2) Expertise risks of departments and personnel.

The Company carries out risk preparedness drills and system tests to prevent system outages and data breaches, working with departments that could be affected by cyber threats. These drills are carried out at both the factory and the headquarters. The process includes the following steps:

1. Developing a plan for IT emergency response drills by simulating real-life scenarios.
2. Simulating real-life scenarios in the server systems of the headquarters and the factory to identify vulnerabilities from attacks.
3. Testing for vulnerabilities in systems such as the email system, accounting program, payroll system, and antivirus system.
4. Analyzing the results of the vulnerability scan, checking and closing potential attack points from both internal and external sources, followed by another round of system testing to reduce risks and vulnerabilities.
5. Reporting the results of the operations to the information security management executive for presentation to the Board of Directors and the Risk Management Committee.