Specific management plans and resources devoted to information security management
The Company focuses on information security control, and the specific measures adopted for information security protection are mainly based on five aspects of information security management:
01
Staff Management
At the time of employment, the Company signs a “contract of employment” with the employee, which stipulates that the intellectual property rights of all creations and inventions made by the employee during the employment period shall be vested in the Company. At the same time, the Company signs a detailed “confidentiality agreement” with the employee, which stipulates that the employee is responsible for maintaining the confidentiality of all business information, technology, processes, programs, procedures, designs or any other confidential information that the employee may use in the design, sale or operation of the Company, whether during or after the termination of the employment contract. The Company may impose penalties in accordance with its work rules for any breach of contract.
In case of contract violation, the Company may impose penalties in accordance with the work rules and, depending on the seriousness of the situation, may pursue criminal liability. The Company uses various meetings to educate employees from time to time, including the protection of business secrets, access control rules, and the principle of disclosing information to the outside world, etc., so that employees can establish correct concepts and develop good working habits.
02
Device Control
The Company’s computer equipment must be installed with antivirus software. The system will determine that the computer meets the specifications before granting network connection authorization. Any unauthorized computer equipment is strictly prohibited from accessing the Company’s network, and the system will automatically block any unauthorized equipment to prevent non-compliant computer devices from affecting the Company’s internal network and equipment.
03
Authority Management
To avoid theft and fraudulent use of accounts, Company employees are required to pass two-factor authentication (system account password + OTP one-time password) to access their personal computers. Each R&D project has strict permission control. Project members are required to submit a form to apply for access privileges. The information management staff will set the access privileges after the supervisor’s approval. Access privileges are reviewed once every six months to ensure the correctness of privilege management.
04
Data Management
The Company’s R&D-related data are stored in dedicated storage devices with high-availability redundancy, and project R&D data are controlled by privileges, allowing only authorized members to access them. The Company’s R&D data has a complete regular backup mechanism and is stored off-site to ensure disaster recovery capability in the event of a disaster.
05
Export Management
When the product is delivered to the customer, the application must be completed. The data will be encrypted by the system and uploaded directly to the dedicated space provided by the Company to the customer for downloading without the intervention of anyone in the industry. This dedicated space only allows the specific IP device connection provided by the customer. The connection opening time is limited to one month.
Type | Item | Prevention Purpose | Information Security Management Resources Description |
Staff Management | Information security advocacy | Prevention reduces the chance of getting a virus | Information security advocacy for new hires Regularly share cases of major domestic and international information security abnormalities with employees |
Device Control | Antivirus software Untrusted device blocking |
Prevention of software virus | Information Security System Procurement and Implementation The system determines that the computer meets the criteria before granting permission to connect to the network. If there is an unauthorized device accessing the system, the network will be blocked. |
Authority Management | Two-factor authentication Project authority control |
Avoid account impersonation |
Two-factor authentication system setup Internal R&D management system development |
Data Management | Professional Storage Equipment Local redundancy architecture Off-site data backup |
Avoid Data loss |
Professional Storage Equipment Procurement Professional Backup Software Procurement |
Export Management | Automated system rotation Dedicated encryption space |
Avoid Data breach | Internal shipment management system development When the product is delivered to the customer, an application form is required. After the approval of the relevant supervisor and sales contractor, the system will encrypt the data and upload it directly to the exclusive space provided by the Company for the customer to download without any manual intervention. Exclusive space allows only certain IP devices provided by customers to connect, and the connection opening time is limited to one month. |
Information Security Management Execution Overview
On August 3, 2023 the Board of Directors reported the following executive highlights for the year:
Item | Execution Details | Execution Results |
Microsoft Operating System Upgrade | Win7 & Win2008 operating systems are no longer provided with security updates. To minimize the potential security risk, the upgrade is performed as the following: Win 7 to Win 10 Upgrade Completion Rate 100% Win 2008 to Win 2019 Upgrade completion rate 100%. |
Any high-risk vulnerabilities in the operating system can be patched immediately and there are currently no major cybersecurity incidents. |
Server room UPS system battery replacement | The Eaton UPS system in the server room was relocated from the old office. During routine maintenance, it was discovered that the batteries had aged, resulting in an unstable power storage time. As a result, a planned replacement operation was carried out. After replacing the old batteries, the power storage time was extended from 15 to 50 minutes. |
To prevent data corruption, ensure sufficient response time for critical server shutdown during unexpected power interruptions. |
Information Security Awareness Enhancement | To minimize the threat of phishing emails, the email rules have been adjusted. All emails from external sources have the “[External]” tag added to the subject line, and a “Reminder” is also added to the email text to remind colleagues to be more vigilant and exercise caution when clicking on links and attachments. | There are currently no major cybersecurity incidents. |
Simulation Computing Spatial Data Management | To prevent the failure of RD simulation jobs due to insufficient storage space, the Company has not only initiated new storage space procurement operations based on business needs but has also established an automated scanning mechanism, which automatically generates a weekly space usage report to provide RD colleagues with the ability to confirm and remove temporary simulation files to ensure that the frontline simulation space is maintained at a safe level. | The storage space has a real-time monitoring mechanism and regular space reviews are conducted. Currently, there have been no incidents of insufficient storage space. |