Economic Sustainability

In accordance with relevant laws and regulations, the Company shall take into account company goals to conduct information security risk assessment, determine various information security requirements, and adopt necessary information security measures to ensure continual operations and minimize operating losses.

Network and Information structure

Chunghwa Telecom FTTB VPN and ADSL VPN are used as backup for main network connection of the Company's bases. Each of the Company's bases are directly connected to the Internet.

The Company’s information systems are mainly divided into two categories. The first category is the common type system that support the operations in the Company’s information environment, including e-mail, anti-virus, anti-spam systems, and file servers. The second category is the operational application systems for accounting management, human resource, business operations, production management, and manufacturing. The servers that support systems operations include Windows server and IBM AS400.

Information security policy

For information security management, the Company has formulated the "Guidance for Information Security Management" for implementing information security.

Information security policy
  1. Information security management regulations should comply with the law and contract requirements.
  2. Maintaining the integrity and availability of information.
  3. Limited access to confidential information.
  4. Ensure that authorized users in accessing files and resources.
  5. Prevent unauthorized use.
  6. Prevent accidental damages on hardware, software, and other resources.
  7. Prevent vandalism of hardware, software, and other resources.
  8. Prevent improper use of network resources

Information security and cyber risk analysis

Name of the asset Risk event Existing control measures
Weakness Threat
Server System vulnerabilities System hacked Routinely fix system vulnerabilities
No system backup Difficult system recovery System virtualization and backup on different hosts
No data backup Data corruption Duplicate hard disk backup and tape backup
No strict control over the account Unauthorized access Data breach The account password must meet complexity requirements and changed regularly
Natural disaster System crash Set up remote backup system
PC System vulnerabilities System hacked Install Windows Server Update Services (WSUS) for system security updates
Computer virus Malware infection Establish a centralized antivirus system to cyber security monitoring and incident exclusion
Application system No periodic authorization checks Unauthorized access to information Annual review of user permissions
No stringent program testing Data error Program modification for rigorous operation processes
Employees Lack of cyber security awareness Malware infection Stolen account and data Advocacies on information security on an irregular basis

The impact of information systems malfunction on the Company's business and countermeasures

To ensure uninterrupted service, the Company will gradually establish a high availability remote host and data backup mechanism for the information system structure based on its risk level. The backup media will be sent for remote storage, strengthening the system backup and recovery drills to ensure normal operations of the information system and data preservation, and thereby lowering the risk of system interruption caused by unexpected natural disasters and human negligence, while ensuring that the recovery time is in line with expectations.

According to the recent cyber threat analysis, the source of threat mostly comes from external hacks, followed by human negligence and lack of information security awareness of internal employees, while the root causes behind these information security incidents are due to system vulnerabilities or execution of unknown malware. Therefore, we will subsequently attach more importance on task executions. Although we have a backup and recovery mechanism for the last line of defense after information security incidents, losses from information security incidents may be greatly reduced if precautions are taken.

東和鋼鐵企業股份有限公司版權所有 Copyright © 2006
TUNG HO STEEL ENTERPRISE CORP. All Rights Reserved