In order to ensure the confidentiality, completeness and availability of company information, Etron has formulated and established an information security policy as a guideline for information security management in accordance with requirements of company operation and relevant laws and regulations, and implements management procedures through the operation of the internal information security organization. In addition, employees should establish information security risk awareness, and use management procedures and security protection technologies to achieve the security goals of information collection, processing, transmission, storage and circulation.
Information Security Organization, Members, and Oversight
- Information Security Committee: The company has a committee dedicated to information security. Its responsibilities include creating and reviewing security policies, allocating resources, and assessing the effectiveness of security measures. Senior executives act as management representatives, ensuring coordination and promotion of information security management. The committee holds regular security meetings and reports to the Board of Directors.
- Executive Secretary and Members: The head of the Information Department serves as the committee’s executive secretary, providing assistance in related tasks. Department heads from Administration, Research and Development, Legal, Information, and Operations join as committee members, actively contributing to the development and implementation of information security projects and measures.
- On November 9, 2022, the Information Security Committee submitted a report to the Board of Directors, presenting the current information security policy and its implementation status.
Human Resource Security and Information Security Education and Training
- The company integrates information security into its personnel management processes, such as hiring, changes, and terminations. This ensures that employees are capable of implementing relevant security measures in their roles, reducing potential security risks.
- Regular education and training are provided to employees based on their job responsibilities and the current information security landscape. This promotes awareness of information security among the workforce and enhances the company’s overall security level.
- The company offers specialized courses or training for dedicated personnel to strengthen the skills of information security management staff and improve the company’s overall capability in managing information security.
- Employees receive periodic information security advisories to raise awareness and maintain vigilance. These advisories serve to keep employees informed and alert about potential security threats.
Identification of Information Assets, Risk Assessment, and Resource Allocation
- The company regularly identifies and protects its assets based on their importance. This involves collecting and classifying information assets, reviewing their confidentiality, availability, and integrity, assessing vulnerabilities and threats, and creating risk management plans. The company tracks these enhancement plans until improvements are implemented.
- In response to external security threats, the company continually strengthens its measures. This includes enhancing existing protection mechanisms and implementing additional safeguards such as Endpoint Detection and Response (EDR) software, as well as using multi-factor authentication (MFA) and other solutions.
Information Security Incident Reporting and Response
- The company joins domestic cybersecurity alliances to acquire and exchange cybersecurity information. This helps the company respond promptly to any cybersecurity issues.
- In the event of an information security incident within the company, the associated departments are responsible for promptly reporting the incident according to their roles and the incident classification system. They should follow prepared mitigation plans, take necessary actions, and document the process and outcomes. The reports are then submitted to the Information Security Committee.
Policy Adjustment and Revision
This policy is regularly reviewed by the Information Security Committee to ensure that it aligns with relevant laws, technology advancements, business developments, and current circumstances. The goal is to ensure that the policy remains appropriate, sufficient, and effective.