Information Security
To safeguard the confidentiality, integrity, and availability of information assets, and to protect customer privacy and personal data, We have established an "Information Security Policy." Through the collective efforts of all employees, the Company aims to achieve:
Confidentiality
Ensure that only authorized personnel can obtain information and avoid information leakage.
Integrity
Ensure that information is not subject to unauthorized tampering and the correctness of information processing methods.
Availability
Ensure that authorized users can obtain information and use related assets when needed.
Information Security Committee
Unimicron has set up an "Information Security Committee" to manage information protection in Taiwan Facilities and Mainland China Facilities. In 2022, the Company established a Chief Information Security Officer (CISO) and a dedicated team to lead biweekly meetings and improve operations through PDCA reviews, such as internal advocacy and drills, asset inventory and classification, data access control, alerts, etc., regularly reports to the Chairperson and senior executives. Also, obtaining international certification, to reduce information security risks and protect customer privacy. In 2023, the CISO reported to the Board of Directors. A summary is as follows:
- Define and promote key information security indicators across the Group.
- Present trends from key customer information security assessments.
- Assess internal and external risk and align with information security projects.
- Summarize the 2023 activities of the Information Security Committee.
- Outline the status and development plan for information security talent.
In 2023, the Company met the information security requirements of customers and passed third-party audits without major deficiencies. No violations led to customer data breaches or fines.
Information Security Team | - Host security meetings
- Formulating security policies and strategies
|
---|
Information and Communication Tech. | - Systems and technical management assessment
- Security system maintenance and permission adjustment
|
---|
Human Resources | - Training scheduling and announcement
- Staff regulations and reward/punishment process
|
---|
Audit | - Effectiveness assessments of security policies
- Security incidents escalation and following
|
---|
Legal | - Security related laws and regulations following
- Legal interpretation and consulting
|
---|
Intellectual Rights | - Trade secret and patents asset review and value definition assistance
- Trade secret and patent system maintenance
|
---|
Strategic Business Unit | - Promoting security policies to departments and following
- Submit feedback from departments and be bridges between business units and committee
- Respond to security incidents in business units
|
---|
Information Security Program
To safeguard customers' intellectual property and confidential documents, Unimicron has established a comprehensive “Information Security Policy” and secures ISO/IEC 27001 certification annually. We conduct risk assessments, training, and manage cybersecurity, system operations, terminal computers, abnormal behavior detection, IDC management, and anti-virus and anti-hacking measures at our Taiwan and Mainland China Facilities. The addition of a Security Operation Center (SOC) enhances our monitoring and incident response capabilities. We continuously review and refine our security framework to meet business continuity needs and regulatory standards, ensuring customer data security.
Risk Assessment
- Measures: We assess risks and management measures using ISO 27001 and biweekly committee meetings, with reports submitted every two months.
- Outcome: Enhanced the security of the supplier data exchange platform by transitioning from FTP to SFTP, fortified protection for 823 high-risk machines, expanded the SOC to Unimicron Technology (Suzhou), and developed SOPs for biometrics access control, cloud architecture, and information security reviews.
Training
- We offer three regular training sessions—on "Information Security," "Trade Secret Protection," and "Patent and Copyright Protection"—both in-person and online. We also perform an annual inventory and classification of trade secrets to protect Company and customer data.
Abnormal Behavior Detection
- Increase Managed Detection and Response (MDR) on 337 important machines in key plants.
Terminal Computer Management
- Minimize administrative privileges by reclaiming administrator access for users in Taiwan and Mainland China Facilities.
Anti-virus and Anti-hacking Management
- Establish a vulnerability management system and tracking mechanism.
- Implement network firewalls and intrusion detection systems to detect, block, and alert external threats. Collaborate with external security organizations for SOC services and 24-hour round-the-clock incident analysis.
System and Cybersecurity
- Completed 12 vulnerability scans and bug fixes in line with "Cyber Security Control Guidelines for TWSE/TPEx Listed Companies" and customer requirements.
- To strengthen software security under the "Cyber Security Control Guidelines for TWSE/TPEx Listed Companies," we initiated a source code scanning project in 2023, correcting all identified risks with a 100% correction rate. The next phase will focus on key internal projects to further improve security and reduce repair costs.
- Enhanced machine visibility with a new registration system, improving transparency of software and hardware.
- Implemented encryption for the Group's HR system in response to increased fines for personal information protection by the Legislative Yuan.
- Scanned and mitigated risks for specific brands of industrial control equipment and PLCs.
IDC Management
To secure the physical IDC and protect customer's data, we utilize the following systems to build a secure environment:
- Central Access Control: Regulates access, logs entries and exits, and integrates facial recognition.
- CCTV System: Provides 24-hour surveillance with automatic alarms for intrusions.
- Environmental Control: Monitors temperature, humidity, and power continuously.
2023 Information Security Management Results
Definition and Management of Machine Risk
Classifying the machines of each plant into 4 levels, A, B, C, and D, based on the level of protection and resilience, 823 high-risk (level A) machines have been mitigated.
Supply Chain Information Security Management
326 key suppliers are required to implement Sender Policy Framework (SPF) and Transport Layer Security (TLS) to ensure data safety during exchanges.
Internal Information Security Advocacy and Drill
Training Course
Course | Participants | Employees Should Be Trained | Employees Trained | Completion Rate (%) | Course Hours |
---|
Information Security Advocate | Job level 5 (inclusive) and higher in Taiwan and Taiwanese employees stationed in Mainland China (including DL) | 5,074 | 5,049 | 99.51 | 3 |
---|
The Law and Ethics of Trade Secrets |
---|
Trade Secret Advanced Course |
---|
Intellectual Property Rights |
---|
Note 1:The training starts from July 1 to Sep. 8, 2023. Therefore, employees who took up the job before March 31, 2023, are required training. Also, those who have not completed the training and started their duties on or after April 1, 2023, will be included in the roster for the following year.
Note 2:Among the 25 untrained persons, 1 was on injury leave, and 1 was on long-term sick leave.
In 2023, we conducted three unannounced phishing email drills per employee and held a company-wide E-Learning information security course in Q4 to boost employee awareness.
Drill
Email Drill | Test Subjects | Result | Enhancement Measures |
---|
First Test | Employees with Email accounts | Opened malicious link and entered the account password: 0.7% (64 people) | For employees who failed the test, Unimicron has completed the second propaganda and arranged a test |
---|
Retest (3 times) | Employees with Email accounts | Opened malicious link and entered the account password: 0.08% (5 people) | Individual training by the supervisor |
---|
Information Security Incident Notification Process
Occurrence of Incident
- Report immediately per "Unimicron’s Information Security Incident Notification Management Procedures.
- Report immediately following "Unimicron’s Information Security Incident Notification Management Procedures".
Reporting
- The unit manager reports to the CISO.
- The CISO classifies incidents as major anomalies, confidentiality breaches, or issues related to the first-level supervisor.
Handing of Divulgence Information
Report to the supervisor and responsible unit. Major incidents must be reported to the first-level supervisor, SBU President, CISO, and Executive President. Major anomalies and suspected leaks also require reporting to HR and the Audit Office.
Handling the Incident
If the incident is a breach of confidentiality, it will be handled by the Legal or HR Division according to legal and internal regulations.
Case Closure
For level 3 or higher incidents, an "Information Anomaly Incident Report" must be completed and submitted to the CISO or higher.
Information Security Incident
Description | Unit | 2020 | 2021 | 2022 | 2023 |
---|
Major Information Security Incident | Case | 1 | 0 | 0 | 0 |
---|
Breaches of Customer Privacy | Case | 0 | 0 | 0 | 0 |
---|
Customers Affected by Data Breaches | Customer | 0 | 0 | 0 | 0 |
---|
Total Monetary Value of Significant Fines with Information Security Incident | NT$ | 0 | 0 | 0 | 0 |
---|