The Eurocharm Group, to implement information security management, has established a dedicated cybersecurity unit with one cybersecurity manager and two cybersecurity personnel responsible for cybersecurity management across the company’s operational processes, compliance with cybersecurity laws and regulations, personnel cybersecurity awareness training, automated production processes, personal privacy protection, customer cybersecurity requirements, and cybersecurity measures for emerging technologies.
Referring to the Taiwan Cyber Security Management Act and following the Financial Supervisory Commission’s “Guidelines for Information Security Control of Listed and OTC Companies,” our company regularly conducts internal information security inspections to ensure the effectiveness and maturity of our cybersecurity management. The results of these security checks are consolidated and reported to the board of directors on a quarterly basis.
In the fiscal year 2023, our company did not experience any complaints related to the infringement of customer privacy or the loss of customer data.
Information Security Policy
| Purpose | To ensure the security of data, systems, equipment, and network communications, our company has established an information security management framework. This framework aims to effectively reduce the risks associated with human errors, intentional acts, or natural disasters that may lead to the theft, improper use, leakage, alteration, or damage of information assets. The primary goal is to uphold the confidentiality, integrity, and availability of information. |
| Range | The scope of our company’s information security management encompasses various aspects, including all subsidiaries, branches, personnel involved in information operations, management systems, applications, data, documents, media storage, hardware equipment, and network facilities. |
| Content | 1. Establish a dedicated information security unit within the organization to drive information security initiatives. 2. Evaluate personnel appointments, job assignments, and establish controls and manpower backup systems for personnel leaving, on leave, suspended, or transferred. 3. Conduct regular information security education and training to enhance staff awareness and competence. 3. Establish a system for the safekeeping of information assets, efficiently allocating, utilizing, and managing information resources. 4. Assess the security levels of information assets and grant appropriate access permissions to relevant personnel. 5. Consider anti-damage and anti-theft design for buildings, and reinforce control over important facilities and specific areas. 6. Enhance computer network defense technology to timely block external intrusion and damage. 7. Establish control systems and maintain comprehensive records for computer system additions or changes to facilitate auditing. 8. Develop an information emergency response mechanism and a disaster recovery and business continuity exercise plan, conducting regular drills and documenting test results. 9. Adhere to operational specifications from supervisory authorities and timely update relevant information regulations to comply with legal requirements. |
Information Security Risk Management Framework and Execution Strategy
Information Security Risk Management Framework
Our company’s information security management framework is built upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), creating a comprehensive and effective information security risk management framework.
The information security management adopts the NIST CSF 2.0 version, which includes six functions:”Governance”,”Identify”, “Protect”,”Detect”,”Respond” and “Recover” along with their respective information security controls. This ensures our company has comprehensive capabilities to respond effectively to cybersecurity threats. The following outlines our control measures:
- Governance : Establish organization-wide information security risk management policies, ensuring that security control measures comply with regulatory standards. Develop clear guidelines to guide internal operations in information security.
- Identify: Confirm information assets, conduct risk assessments, and analyze the business operational environment to ensure a thorough understanding of the cybersecurity challenges faced by the company.
- Protect: Implement appropriate information security policies, procedures, and technical measures to maximize effectiveness with limited resources and reduce information asset security risks.
- Detect: Establish monitoring systems to ensure early detection of any potential security incidents for prompt response.
- Respond: Establish a cybersecurity incident response team to swiftly respond to security incidents and minimize potential losses.
- Recover: Develop comprehensive business continuity and recovery plans to ensure the organization can quickly return to normal operations in the event of disruptions.
Information Security Risk Management Execution Strategy
The execution strategy of our company’s information security risk management is built on three lines of defense to ensure comprehensive cybersecurity protection:
First Line of Defense: Information Unit and Internal Units
In this layer, the Information Unit and internal units jointly take responsibility for the execution of information security. Their duties include ensuring the comprehensive implementation of security policies and the correct execution of security operations.
Second Line of Defense: Security Unit
Managed by the security unit, this layer encompasses the formulation of security procedures and management, as well as overseeing the overall implementation of information security risk management. This layer ensures appropriate attention to the development and management of security procedures while monitoring and promoting the implementation of information security risk management.
Third Line of Defense: Audit Unit
Managed by the audit unit, this layer is responsible for confirming the effectiveness of information security risk controls and ensuring compliance with internal control audits related to information security practices. This layer ensures the effectiveness of information security risk controls and conducts audits on internal information security practices to ensure compliance and efficiency.
Information Security Management Operations
Employee Information Security Education and Training
On December 11, 2023, VPIC1 in Vietnam conducted ISO 27001:2022 Information Security Management System education and training for Vietnamese staff responsible for information security in various departments. A total of 59 personnel participated.
Incorporate external cybersecurity and threat intelligence alliances
Our company has successively joined cybersecurity intelligence units in Taiwan and Vietnam since November and December 2023. It regularly receives external threat intelligence, such as product vulnerabilities, hacker organization attack information, and detection of cybersecurity attacks within the group’s domain. By leveraging the strength of external alliances, the group enhances its cybersecurity intelligence sources. This enables cybersecurity personnel to comprehensively safeguard the group’s information assets, network security, production security, and overall information security.
Regular issuance of cybersecurity newsletters
Since November 2023, our company has initiated the regular distribution of a cybersecurity newsletter to senior management, managers, and deputy managers. The content of the newsletter includes recent cybersecurity news, noteworthy topics or issues in cybersecurity, and cybersecurity general knowledge, aiming to enhance the cybersecurity awareness of the group’s management team.
