Economic Sustainability
- Risk items and management
- Management of and Strategies for Climate Change Risks and Opportunities (TCFD)
- Information security risk
In accordance with relevant laws and regulations, the Company shall take into account company goals to conduct information security risk assessment, determine various information security requirements, and adopt necessary information security measures to ensure continual operations and minimize operating losses.
Network and Information structure
Chunghwa Telecom FTTB VPN and ADSL VPN are used as backup for main network connection of the Company's bases. Each of the Company's bases are directly connected to the Internet.
The Company’s information systems are mainly divided into two categories. The first category is the common type system that support the operations in the Company’s information environment, including e-mail, anti-virus, anti-spam systems, and file servers. The second category is the operational application systems for accounting management, human resource, business operations, production management, and manufacturing. The servers that support systems operations include Windows server and IBM AS400.
Information security policy
For information security management, the Company has formulated the "Guidance for Information Security Management" for implementing information security.
Information security policy |
|
Information security and cyber risk analysis
Name of the asset | Risk event | Existing control measures | |
---|---|---|---|
Weakness | Threat | ||
Server | System vulnerabilities | System hacked | Routinely fix system vulnerabilities |
No system backup | Difficult system recovery | System virtualization and backup on different hosts | |
No data backup | Data corruption | Duplicate hard disk backup and tape backup | |
No strict control over the account | Unauthorized access Data breach | The account password must meet complexity requirements and changed regularly | |
Natural disaster | System crash | Set up remote backup system | |
PC | System vulnerabilities | System hacked | Install Windows Server Update Services (WSUS) for system security updates |
Computer virus | Malware infection | Establish a centralized antivirus system to cyber security monitoring and incident exclusion | |
Application system | No periodic authorization checks | Unauthorized access to information | Annual review of user permissions |
No stringent program testing | Data error | Program modification for rigorous operation processes | |
Employees | Lack of cyber security awareness | Malware infection Stolen account and data | Advocacies on information security on an irregular basis |
The impact of information systems malfunction on the Company's business and countermeasures
To ensure uninterrupted service, the Company will gradually establish a high availability remote host and data backup mechanism for the information system structure based on its risk level. The backup media will be sent for remote storage, strengthening the system backup and recovery drills to ensure normal operations of the information system and data preservation, and thereby lowering the risk of system interruption caused by unexpected natural disasters and human negligence, while ensuring that the recovery time is in line with expectations.
According to the recent cyber threat analysis, the source of threat mostly comes from external hacks, followed by human negligence and lack of information security awareness of internal employees, while the root causes behind these information security incidents are due to system vulnerabilities or execution of unknown malware. Therefore, we will subsequently attach more importance on task executions. Although we have a backup and recovery mechanism for the last line of defense after information security incidents, losses from information security incidents may be greatly reduced if precautions are taken.