Information Security Risk Management Architecture, Information Security Policy and Specific Management Plan
 

Information Security Risk Management Architecture

  • The IT department is responsible for the overall planning of the information security and relevant matters, establishment of relevant internal control procedures for management and periodically perform internal information security inspection.

 
 

Information security policy

  • I. Purpose
    As the development of the information system and internet network application continue to advance, to ensure the security of the software/hardware equipment and internet network of the Company, this Information Security Management Policy is hereby established in order to serve as a basis for the information security compliance by all employees of the Company.
  • II. Definition
    To ensure that all information systems are protected from any interference, damages, infringement or any improper actions, appropriate system planning, procedural regulations and administrative management are implemented in order to prevent internal and external threads, thereby achieving the objective of maintaining the security of information system.

  • III. Goal
    To prevent the information system from damage due to improper use or intentional destruction of internal or external personnel, in the event of emergencies due to improper use or intentional destruction already occurred, the Company is able to promptly respond and handle such occurrence and to resume to normal operation within the shortest period of time, thereby reducing possible economic damages or operation interruption caused by such incidents.

  • IV. Scope
    This policy is applicable to all information systems of the Company and users thereof. Information users include the official employees, contracted personnel, system construction and maintenance vendors, and other personnel authorized for use.

  • V. Organization
    The IT department is responsible for the overall planning of the information security and relevant matters, establishment of relevant internal control procedures for management and perform internal information inspection periodically.

  • VI. Procedure

    (I) Personnel Information Security Awareness and Training

    To reduce the impacts of internal human factors on the information security, the IT department shall implement information security educational training and promotion frequently in order to increase the knowledge and awareness of personnel on information security.

    (II) Information System Security Management

    1. The computer host machines and server equipment shall be installed at specialized machine rooms, and the IT department shall be responsible for the management thereof. Unauthorized personnel shall not enter such machine rooms, and when no one is inside a machine room, the machine room should remain locked.

    2. Personal computers and various peripheral equipment etc. shall be allocated appropriately according to the nature of business and the factors of the field space etc., and uninterrupted power supply (UPS) system shall be connected in order to ensure stable power supply and to prevent the damage of equipment affecting the operation of the Company.

    3. The maintenance and operation status of the main equipment shall be recorded. In case of equipment failure, troubleshooting shall be made internally or the maintenance vendor shall be contacted to perform emergency handling.

    4. The machine room temperature shall be maintained within an acceptable temperature control range of each equipment. In addition, in case of occurrence of errors, the monitoring equipment shall inform relevant personnel of the IT department to perform troubleshooting in order to prevent the damage of equipment affecting the operation of the Company.
       
    5. Establishment of new information system shall only be in service after the singing approval of the supervisor according to the application procedure in order to ensure that the system is able to operate accurately and stably.

    6. Each department shall use licensed legitimate software and shall comply with relevant laws and contract requirements. Any software without legitimate license and irrelevant to the job duties shall not be installed for use. Any violators shall bear relevant legal liabilities and shall also bear relevant indemnification liability in case of any damages of each unit’s equipment. 

    7. Data backup and recovery operation shall be performed periodically in order to promptly resume to normal operation in case of occurrence of disasters. Backup media shall be remotely stored at a secured environment in order to ensure the integrity and usability of data.

    8. When the information service is outsourced externally, it is necessary to carefully assess the possible potential security risks in advance, and shall sign appropriate information security agreement with the outsourced vendor in order to impose relevant security management obligations and to include such obligations in the contract terms.

    (III) Network Security Management

    1. Access points connected to the external network shall be installed with firewall and other security facilities in order to control the data transmission and access of the external and internal networks.

    2. Enterprise version of anti-virus software shall be installed and anti-hacking software for detecting intrusion shall be constructed to protect the information system of the Company from any virus infection and intrusion of malware or hackers. Information equipment shall be downloaded and updated with the latest virus codes, operating system update patches at all time.

    3. In case of discovery of any intrusion or suspicious intrusion, the IT department shall be informed to perform relevant handling. When it is considered necessary, legal action shall be adopted.

    (IV) System Access Control

    1. During the new employee recruitment, employee job transfer and resignation (suspension) of users, written notices shall be submitted to the  IT department to perform the addition, adjustment or deletion of the use authority for users in order to ensure the security of the system.

    2. Information system shall be set with access passwords, and the user access passwords shall comply with the security principle, and access password shall be requested to be changed periodically.

    3. IT department shall periodically inspect the security status of each system in order to ensure the security of information process related operations.

    (V) Security Management of Information System Development and Maintenance 

    1. The system development/construction, maintenance, update, in-service execution and version change operation shall be under security control, and shall be commissioned to be handle by legitimate and qualified vendor, in order to prevent any improper software, backdoor and computer virus etc. from jeopardizing the security of the system.

    2. The construction and maintenance of Important information system performed by outsourced vendor shall only be handled under the supervision and participation of the personnel of the IT department of the Company.

    3. For change of program and system authorization, it is necessary to fill out application form, and the approval of the supervisor shall be obtained before the IT department personnel and supervisor arrange the operation period. In addition, program and system testing shall be confirmed to be correct without errors before permission for in-service use.

    (VI) Planning and Management of Business Sustainable Operation Plan

    1. In case of occurrence of information security event such that the information system cannot operate or the execution efficiency is affected, it shall be reported to the unit supervisor and IT department personnel immediately in order to perform relevant handling.

    2. After the reporting is made, the information system or equipment affected shall be stopped for use immediately and the current condition shall be preserved. Once the IT department personnel receive the report, relevant messages shall be recorded in order to perform relevant handling procedure.

    3. IT department shall periodically assess the possibility of loss caused by information security risk. When it is assessed to be necessary, appropriate insurance shall be applied in order to reduce the loss amount.
 
 

Specific Management Method

  • To prevent various external information security threats, in addition to the design of multi-layer virtual network architecture, various information security protection systems are further constructed and implemented. Use well-known brands for firewall, and frequently update the firewall application program protection. In addition, when personnel accessing hazardous external websites, warning is sent and the access is locked to prevent entrance of operators.

  • Each computer is installed with the top five anti-virus software ranked worldwide, and centralized protection management is adopted in order to protect computer from virus. In addition, the virus cods are updated timely and alerts are sent to main network administrator of the IT department.
 
 
 
9F., NO. 168, JIANKANG RD., ZHONGHE DIST., NEW TAIPEI CITY, TAIWAN
+886-2-6621-5888
+886-2-6620-0888
[email protected]
 
Copy Right © Syncmold Enterprise Group. All right reserved. Best viewd with 1024 x 768 dpi resolution & IE 9.0