情報セキュリティポリシー

情報セキュリティ管理方法
One. Information Security Guidelines Outline
  1. Preamble: The “Guidelines” is formulated as the Company’s management regulations to ensure the security of the Company’s relevant data, information systems, information-related equipment, and network.
  2. Scope: The scope of “Guidelines” is applicable to 4 groups, including personnel, application systems, hardware equipment, and network facilities.
Two. Personnel management and education and training

The following tasks are planned to enable personnel to meet the requirements required for their work and to improve their awareness of the protection of information assets:

  1. Provide the “Information Security Policy Awareness Course” to the new recruits.
  2. Draft up an annual information security education and training plan for the personnel of the department with computers in use.
Three. Computer system security management
  1. Management of information security incidents

    (I) Formulate the following operational procedures for handling information security incidents:

    1. Information computer contingency plans
    2. Disaster recovery plan
    3. System malfunction report

    (II) Decentralization of information security responsibilities

    1. The responsibility for information security management and implementation of the key information work items should be dispersed as much as possible, that is, have the necessary responsibilities assigned to the relevant personnel.
    2. The following work item operations should be assigned to different personnel for performance as much as possible in line with the human resource status:
      1. Use of the application system
      2. Data filing
      3. Computer operation
      4. Network management
      5. System administrative management
      6. System development and maintenance
      7. Change management
      8. Security management

    (III) Security management of outsourced information operation

    1. The potential risks (such as, account or password deciphered, system sabotaged, data theft, etc.) of information operation to be outsourced should be evaluated in advance; also, an appropriate information security agreement should be signed with the business operator with the relevant security management responsibilities assigned, which should be include it in the contract.
    2. The following items should be noted in the information outsourcing service contract:
      1. The information confidentiality agreement to be complied with by the service providers
      2. The responsibilities and procedures of the service providers in handling and reporting incidents
      3. The cooperations and supports expected from the service providers
  2. Prevention of computer viruses and malice software (Malware)

    (I) Control of computer viruses and malware

    The Company’s servers and personal computers must be equipped with necessary preventive and protective measures in advance to prevent and detect the intrusion of computer viruses and malicious software. Also, prompt employees to correctly recognize the threat of computer viruses, enhance employees’ information security awareness, and improve the system access control mechanism.

    (II) Important principles to be considered for computer virus prevention

    1. All units and users must comply with the software licensing regulations, and prohibit from using unauthorized software.
    2. Occasionally announce the date and relevant information about the potential outbreak of severe hazard virus.
    3. Use the computer anti-virus software in accordance with the following principles:
      1. Computer anti-virus software and virus patterns should be updated daily.
      2. Provide the function of computer systems real-time scanning and data storage media.
      3. Use virus decryption software that can help decrypt computer viruses and restore system functionality.
  3. Software copyright control

    (I) The Company shall have software used in compliance with relevant laws and regulations and contracts.

    (II) Software copyright management should take into account the following items:

    1. Employees are prohibited from possessing or using unauthorized software.
    2. Employees are prohibited from installing software on computer equipment without prior authorization.
    3. The software to be used on the computer equipment other than the licensed ones must be with a formal license or must be purchased additionally.
    4. Audit the use of software occasionally.
  4. Safety management of daily operations

    (I) Make necessary data and software backups regularly in order to resume normal operations promptly in the event of a disaster or storage media failure.

    (II) The responsible person shall be promptly informed with necessary corrective action taken upon the occurrence of system errors.

  5. Computer media management

    (I) The obsolescence of media containing confidential or sensitive material should be disposed of by dedicated personnel in a safe manner, such as, by burning it, shredding it, or deleting the data from the media completely.

    (II) The process of disposing computer media is as follows:

    1. The using unit shall fill out the “Information Requisition Form” and tick the box of “Other” column with the reason for scrapping detailed and the name of the item to be scrapped for the responsible person of the responsible unit to judge and decide.
    2. The responsible person of the responsible unit will arrive the worksite to understand the problem on hand or to receive the media that needs to be scrapped.
Four. Network security management
  1. Introduce a Fire Wall with network monitoring capability to control data transmission and resource access between the external Internet and the Company’s internal network:
    1. The unit that needs to change the firewall policy shall fill out the “Information Requisition Form” for the review and approval of the responsible unit before initiating the firewall policy change operation.
    2. The firewall policy change reviewed by the responsible unit and approved by the supervisor shall be carried out with the change date noted in the “Information Requisition Form.”
  2. Contract network security experts, when necessary, to diagnose security vulnerabilities in the Company’s network operating environment.
  3. The transmission of sensitive information by public network must be equipped with the encryption protection measures, such as, VPN connection management.
  4. The user account of the Company’s employees is to be established by the designated personnel of the Administration Office. New recruits shall fill out an application form at the time of reporting to duty for the process of the Information Department. The Information Department should have the user account of the resigning employee cancelled on the date the resignation takes effect.
  5. The network system administrators may not read the personnel files or materials of employees without the permission of the general manager or higher authority.
  6. Except for the USB drives, CD-ROMs, and IC programmers issued after review, or with the consent of the responsible supervisor, it is forbidden to connect the computer to any USB drives, CD-ROMs, IC programmers, modems, and other peripherals devices containing storage, reproduction, and communication functions without authorization for the protection of the Company’s intellectual property rights.
  7. The other person’s computer or unauthorized computer may not be used without permission. The computer will activate the screen saver after it has been in idling for more than 10 minutes.
  8. The information equipment may not be moved without the authorization of the management unit. The information equipment is to be relocated by the management unit when the employees resigned or reported to duty.
  9. Unauthorized software may not be installed or used. The software needed for job performance should be acquired collectively by going through the regular purchase procedure with the approval and countersign of the responsible unit.
  10. Pornographic files may not be built on the Company’s network, and may not distribute illegal, inappropriate, or violation of good customs and habits on the Internet.
  11. It is prohibited to use the Company’s network to engage in illegal or unjust personal gain.
  12. It is prohibited to download, place, or transmit any not work-related files, such as, video game programs and music files.
  13. Confidential and sensitive information and documents shall not be stored in the information system accessible to the public.
  14. Network system administrators may monitor the use of network data, check for any violations of information security regulations, and notify the direct supervisors as necessary.
  15. Use an uninterruptible power supply system (UPS) for necessary network hardware.
  16. E-mail security management guidelines

    (I) E-mail should be safekept by the recipients accordingly.

    (II) The Company’s confidential information shall not be disclosed by e-mail or other means.

    (III) Do not open any E-mail from unknown sources in order to avoid activating malicious files.

    (IV) Do not send harassing e-mails to others that cause discomfort and inconvenience to other users.

Five. System access security management
  1. User access management:

    (I) User account management: Regularly check and cancel unused IDs and accounts.

    (II) Password management: Users of password should have it changed immediately for the first-time use.

    (III) System access right management: Regularly evaluate and review the access rights of ERP users.

  2. Security control of network access: The repair and maintenance service providers who access to the Company’s computer network system by remote login through the communication operation port must be with the “Information Requirement Application Form” filled out and approved in advance.” The remote login account for this system should be disabled after the application time.
Six. System development and maintenance safety management
  1. The security requirements of each application system of the Company are determined by the requirements of each business unit. The relevant control, authorization, scope of use, etc. are all proposed by the department head, and are included in the system planning and design guidelines after confirmation.
  2. A change control procedure should be established to secure the system security control. A system change must be with the approval of the responsible management personnel. The following matters should be taken into account at the time of establishing a change control procedure:

    (I) Carry out the change operation according to the authorization stipulated in advance.

    (II) The changed operation of the system must be with the acceptance of the system user.

    (III) Check the system security controls and procedure correctness to ensure that the original security control measures of the system are not affected or disrupted by the system change operation.

    (IV) It is necessary to establish a software version control mechanism.

Seven. Information equipment entity and environmental safety management
  1. Equipment security management:

    (I) Equipment should be placed in an appropriate location to reduce the risk of danger and unauthorized access due to an unsafe environment.

    (II) It is necessary to check and evaluate the harms to the equipment by fire, smoke, water, dust, vibration, chemical effects, power supply, electromagnetic radiation, etc.

    (III) Smoking, beverages, and food are prohibited in the computer work area.

  2. Computer room security management

    (I) Computer room setup

    1. The important information equipment of the Group and each business unit (department) shall be stored and operated in a computer room.
    2. Information equipment should be placed in an appropriate location to reduce the risk of danger and unauthorized access due to an unsafe environment.
    3. Information equipment should be placed in a location where personnel do not need to go in and out frequently. Computer mainframe for confidential data should be placed in a location where management personnel can observe and take care of nearby.
    4. Information room should be arranged with protection against water leakage, moisture, dust, fire, shock, and lightning; also, it should be equipped with appropriate lighting and area, which can be expanded in response to business development.
    5. The communication services and channels in the information room should be kept smoothly.
    6. The information room shall be equipped with water-free and non-corrosive fire-fighting equipment, which should be organized, cleaned, and recorded regularly.

    (II) Environmental management

    1. Smoking, beverages, and food are strictly prohibited in the computer room; also, personal belongings may not be stored in the computer room.
    2. The network cable and power cable should be placed in the cable duct or fixed on the cabinet, which should not be exposed in the aisle.
    3. Personnel in the computer room may not cable or turn off equipment power without permission.
    4. The aisle of the computer room should be kept clear for easy handling of objects, performing maintenance service, and arranging evacuation.

    (III) Computer room environmental control

    1. The information room should be equipped with monitoring equipment for monitoring temperature, humidity, uninterruptible power supply system, air-conditioning, fire-fighting equipment, etc.
    2. The environmental control equipment should be able to indicate the abnormal state immediately.

    (IV) Power standard

    1. The information room shall be equipped with an independent, stable, and safe power supply system with the possibility of capacity expansion in response to business development.
    2. The uninterruptible power supply system or backup power supply is intended only for the use of equipment without electromagnetic interference, which is to maintain the normal operation of the system when the power is out and reserve buffer time for manual processing.
    3. The uninterruptible power supply system should be with the possibility of capacity expansion reserved in response to business development (power consumption load should be below 50% in general).
    4. The power extension cord should be used with caution to avoid safety hazards, such as, fire caused by the power failure.
    5. It should be with a good grounding with a grounding resistance less than 1 ohm, and an independent grounding is preferred.
    6. Power distribution is planned according to the specifications provided by the manufacturer.

    (V) Temperature, Humidity, and Fire Control

    1. The information room should be equipped with independent air conditioning; also, the information equipment should be operated in an appropriate temperature (20-26 degrees Celsius) and humidity (relative humidity 30-80 degrees).
    2. The temperature and humidity should be adjusted accordingly for the information equipment that is with special requirements in temperature and humidity.
    3. The information room should be equipped with a fire extinguishing system.
    4. The management personnel of the information room should be familiar with the operation method and equipment location of the fire extinguishing system. It is necessary to investigate the root cause of an alarm going off with appropriate measures taken and immediate support provided.

    (VI) Equipment storage

    1. Information equipment should be clearly marked with a catalog prepared and kept in details.
    2. Information equipment must be positioned stably and protected from dropping. All network lines must be clearly marked with their purpose and number identified. The cable and equipment management shall be handled in accordance with relevant regulations.
    3. The user who has used the information equipment for a non-work-related purpose, other than the authorized purpose, or in any other inappropriate manner should be warned. The user who has committed a serious violation in using the information equipment should be disciplined in accordance with the relevant provisions of the “Employee Reward and Discipline Regulations.”

    (VII) Access control

    1. The information room should be locked all the time with the key placed in the custody of the designated information personnel. A custodian list should be established that is to be classified as one of the hand-over items to the successor.
    2. The responsible unit shall properly control the entry and exit of the authorized personnel. There should be a record for the authorized personnel’ in-and-out of the information room, including the unit, name, reason, entry and exit time, etc., which should be checked regularly.
    3. Manufacturer’s personnel and other unauthorized personnel may be, with the approval of the responsible supervisor, accompanied by the authorized personnel to enter the information computer room.
    4. All equipment changes in the information room must be approved by the responsible supervisor and handled in accordance with relevant regulations.
    5. The equipment in the information room may not be operated by anyone, except for by the system management personnel due to business needs.

    (VIII) Computer room log

    1. The responsible unit should designate a person to keep the computer room log on a regular basis for the information of equipment operation status, equipment utilization rate, indicator signs, backup files, current and voltage, temperature/humidity, handling of change/abnormal conditions, regular backup equipment testing, etc., which should be check regularly.
    2. A major incident crisis handling report should be prepared for a major accident occurs in the computer room (such as, malfunctioning computer mainframe, abnormal temperature control, etc.) to facilitate subsequent business processing.
Eight. Information system recovery plan
  1. Preamble

    For the protection of the Company’s assets from being damaged, whether these damages caused by internal or external factors manually, intentionally, or accidentally, a comprehensive information security recovery mechanism should be established to ensure that all information security measures and procedures are in place and operated normally, and all systems can be restored to normal operation smoothly and correctly; therefore, this recovery plan (hereinafter referred to as “the Plan”) is hereby formulated.

  2. Recovery plan

    This recovery plan is focusing on the information system. Information security notification, emergency response, recovery of computer room service from an interruption, and other recovery measures should be handled in accordance with the normal processing procedures. The aim is to restore the normal operation of the information equipment in the shortest possible time with the minimal impact resulted.

    (I) The equipment shall be restored within the time specified below:

    ItemsRecovery timeRemarks
    Physical equipment in the computer room 72 hours  
    System service 72 hours  
    Internet service 48 hours Except for those not attributable to the Company’s controllable factors, such as, telecom operators

    (II) The malfunctioned information equipment should be restored according to the importance and priority of the respective equipment.

    (III) In order to ensure that all data can be restored normally and smoothly, important system data inside each information equipment should be back up and stored in different places to ensure the confidentiality, integrity, and availability of the backup data.

    (IV) The malfunctioned information equipment should be reported to the responsible supervisor in accordance with the regulations; also, an emergency response plan should be activated to have it repaired and recovered.

    (V) The maintenance (warranty) service provider should be informed immediately for any physical equipment damaged; also, the maintenance service provider should provide alternative equipment of the same level or higher level for use till the damaged equipment is repaired.

    (VI) The backup data of the damaged system or software should be restored in accordance with the regular operating procedure.

  3. logistical support

    (I) The responsible unit should establish a list of equipment, software, UPS, and air-conditioning maintenance manufacturers to facilitate emergency contact.

    (II) Logistical resources: Such as, UPS, fire extinguishers, and air conditioners should be maintained regularly to ensure their functionality.

  4. Recovery plan drill

    All drill records should be properly safekept for future reference.

  5. Conclusion

    This recovery plan should be reviewed regularly on an annual basis to ensure its compliance.
    The “Guidelines” shall be announced for implementation with the approval of the President, same for the amendments.
    Formulated on March 25, 2020.