Information Security
Information security management is a crucial aspect of corporate governance. To fulfill our responsibility of protecting the information of our customers, suppliers, and employees, HIWIN has implemented various information security systems and tools over the years. In order to enhance the systematic approach to information security management and validate its effectiveness through external third-party verification, the Company initiated the ISO 27001:2013 information security management system formulation and implementation project in mid-2022. Additionally, HIWIN established an Information Security Committee at the end of 2022 and issued a policy statement on information security management. This demonstrates the commitment and support of our management towards information security, ensuring that all employees recognize its significance.
Information Security Management Policy Statement
(1) Establish an organization to ensure the smooth operation of the information security management system.
(2) Implement an information monitoring and control mechanism. All personnel, including full-time employees, outsourced personnel (such as on-site manufacturers, part-time personnel, and consultants), have the responsibility and obligation to protect the relevant information of the business they are responsible for. They must ensure the confidentiality, accuracy, and availability of the Company’s essential information.
(3) Properly separate employees’ responsibilities and grant them only the necessary permissions and essential information required for their job.
(4) Personnel recruitment should include necessary assessments, signing relevant specifications, and participation in information security educational training. Employees should understand that maintaining information security is their obligation in their daily work.
(5) Offices or areas with information security controls should implement entry and exit control measures.
(6) Set up necessary security facilities to protect the internal and external networks. Establish appropriate backup or monitoring mechanisms for important equipment. Employees are not allowed to connect the Company’s internal network with the external network without permission.
(7) Employees’ personal computers should have anti-virus software installed and regularly update virus definitions. The use of unauthorized software should be prohibited.
(8) Employees should be responsible for their personal accounts, passwords, and permissions. Management personnel should regularly conduct audits and reviews.
(9) Security control mechanisms should be considered during system development at the initial stage. For outsourced development, strengthen control over service suppliers and clearly define information security requirements in the service contract.
(10) Employees should remain vigilant at all times for potential security incidents, security vulnerabilities, or violations of security policies and procedures. They should report such incidents according to the established procedures.
(11) Establish a business continuity management mechanism and regularly conduct test drills to ensure its effectiveness.
(12) Information security measures must comply with laws and information security policy requirements. The establishment and modification of all information security regulations or procedures must adhere to the mechanisms of the information security management system.
Information Security Management Strategies
HIWIN has established a dedicated information security supervision organization, which operates under the information management executive department and involves senior executives in oversight. A security management review meeting is held annually to report on the status of information security management to the Chairman, Presidents, and other members of the Information Security Committee. To ensure organizational integration, the heads of various departments are included in the information security supervision organization to oversee the implementation of information security management.
(1) Responsibilities: The President serves as the Chairman of the Information Security Committee, which oversees the Information Section. The Information Section consists of 5 subgroups, including the Risk Management Group, as well as the Audit Section and departmental supervisory managers. Collectively, they establish objectives and strategies for information security, and are responsible for managing all related matters.
(2) Senior Management Participation: The Chairman announces the Company’s objectives and policies regarding information security. They actively participate in supervising the performance assessment system to ensure the achievement of information security goals. This approach guides the development and implementation of information security policies.
(3) Implementation and Promotion: All department heads are included in the Information Security Committee to oversee and handle security matters. This promotes employee awareness of the importance and necessity of information security, and guarantees the implementation of security control measures.
(4) System Culture: Introduce the ISO 27001:2013 information security management system and implement continuous improvement of our current information security measures using the PDCA approach. This will ensure that information security becomes an integral part of our corporate culture.
Integrate Information Security into Corporate Culture
To implement information security goals and policies, HIWIN provides information security awareness training for all system users, making it an integral part of our corporate culture. Additionally, advanced training is offered to system management personnel.
(1) Multiple Channels to Disseminate Information Security Messages
① The training for new employees covers information security awareness and general principles of information security management. This ensures that employees understand the concept and importance of information security.
② Information security promotion messages are continuously displayed through the attendance check-in kiosk device installed in each workplace.
③ Each time employees log in to their computers, a mandatory pop-up window appears, providing information on data protection, intellectual property rights, and basic system security management principles. This helps employees become familiar with the requirements of information security management.
④ Employees who violate information security regulations or protection guidelines/announcements will be subject to appropriate disciplinary action, based on the severity of the circumstances as outlined in the violation notification or information security incident notification. This demonstrates the Company ‘s commitment to maintaining information security.
(2) Drills to Assess Information Security Measures
① Outsourcing social engineering attack simulations to assess the effectiveness of employee training on information security awareness and behavior, and subsequently reviewing the results for enhancement.
② Involvement of benchmark industrial control products in the information security assessment for industrial control products organized by the Institute for Information Industry, validating information security requirements throughout the product development processes.
(3) International Information Security Standards
The core system has implemented the ISO 27001:2013 management system, effectively integrating current information security operations, processes, and forms. The certification was obtained in March 2023 through an audit and recommendation process.
Information Security Control Measures
In 2022, we not only continued to utilize our current system tools but also implemented the MDR (Managed Detection and Response) service, which has been ranked as the top service in the international Gartner evaluation. This service provides round-the-clock monitoring of system activities by dedicated personnel, enhancing the security of our servers and endpoints. In the event of a threat detection, both the system and dedicated personnel are promptly engaged to respond, ensuring the most effective passive defense.
Response to New Information Security Threats
In recent years, the annual increase in encryption-based ransomware attacks has posed a growing threat. Managing risks and swiftly restoring operations has become a crucial concern in information security management. To address these risks, we have implemented the following measures, tailored to the level of risk:
Continuous Improvement of Application System Information Security
Since HIWIN develops most of the core information application systems, continuous improvement of information security functions can help achieve the organization’s information security goals and strategies. In 2022, we successfully implemented 92 application security enhancements across eight key areas, including external system protection, technical risk mitigation, system permission control, enhanced identification tracking, software development protection, data security, physical file protection, and optimization of verification mechanisms.