Thank you for your subscription, the latest issue of the newsletter will be automatically sent to your
designated mailbox. Please set Unimicron’s email as trust mail.
Thank you.
Protecting customers’ intellectual property rights and business information is the focus of our business
and business ethics management. Through control via the ISO 27001 Information Security Management
System, Unimicron received no customer complaints about infringement of customer privacy rights or loss
of customers’ information and no punishment of huge fines for products or services violating the law in
2021.
Information Security Goals
2021In order to maintain the confidentiality,
integrity and availability of the Company’s information assets, and to protect the privacy of
customers and personal data, Unimicron has formulated an information security policy and hopes
to achieve the following goals through the joint efforts of all employees in the Company:
● Confidentiality:Ensure that only authorized personnel can obtain information and avoid information
leakage ● Integrity:Ensure that information is not subject to unauthorized tampering and the
correctness of information processing methods ● Availability:Ensure that authorized users can obtain information and use related assets when
needed
Information Security Committee
Unimicron manages the Company-level information protection mechanism through the Information Security
Committee to protect customer privacy. Through the acquisition of relevant international certifications,
internal information security advocacy and drills, data inventory and drills, and data access control
and information security early warning mechanisms, we regularly provide information security reports to
the chairman of the board and senior managers of business units, to reduce information security risk.
2021 Information Security Management Results
Results
International Security System Certification
Unimicron’s Taiwan and Mainland China facilities have obtained ISO 27001 Information
Security Management System certification, with a coverage rate of 100%, and have
established complete information security standards and management procedures to
ensure the security of the information environment.
Data
Inventory and Classification
2021Unimicron has completed the advocacy and inventory of the business secret
information in 2021 to effectively declare the scope of the Company's confidential
information.
Data Access
Control and Information Security Warning
Use computer access control tools to lock computer transmission media (email, USB,
FTP, web, file folder, etc.). If it is needed for work, a separate application for
activation is needed and it must be supervised by the information security early
warning mechanism. All file access and data transmission abnormalities are detected
and alarmed by the system, and the Information Security Committee is notified to
perform related audits, reports, and handling.
Internal
Information Security Advocacy and Drill
We hold regular information security advocacy and testing for employees, we issued
14 times announcements in 2021, hold an unannounced social attack drill (phishing
email), and conduct a companywide e-Learning information security course in the
fourth quarter of each year to deepen employees' information security awareness
through experience.
Stage
Number of People Tested
Ratio to be Hacked
Measures to Strengthen
Information Security Awareness
First Test
Employees with Email accounts
Open malicious link and enter account
password: 2.5% (2020年/3.1%,2019年/5.25%)
For employees who failed the test,
Unimicron has completed the second propaganda and arranged a
test
Retest
Employees who failed the first test (128
employees failed the test)
Open the malicious link and enter
account password: 2 employees failed the test
Individual training by the
supervisor
Information Security Management Plan
To protect customers' intellectual property rights and confidential corporate documents, in addition to
a comprehensive information security policy and annual ISO/IEC 27001 Information Security Management
System certification, we completed the multi-facet strengthening of our equipment defense and detection
capabilities in 2021, including external/inter-plant/intra-plant firewalls, network abnormal traffic
detection and analysis systems, and other traffic monitoring equipment. In addition, it is equipped with
privileged account management, regular system vulnerability scanning and repair, data backup and quick
recovery mechanism, system network security enhancement, USB management, handheld mobile camera device
management, information classification and confidentiality system, printing control, information
security training and penetration and phishing drills, etc., to enhance internal and external attack
prevention detection and recovery capabilities and properly maintain customer data and information
security. Nearly 100 million attempts per month by external hackers have been blocked externally,
causing no damage to system data.
In order to implement Unimicron’s Information Security Policy, we have fully implemented the mobile
device access control to the plant, ensuring that information will not be arbitrarily carried out. In
addition, Unimicron develops specific management solutions related to the six major aspects of Risk
Assessment, Terminal Computer Management, Computer Room Management, Anti-virus and Anti-hacking
Management, System and Network Security Management, and Training to properly maintain customer data and
information security.
In 2021, we will promote a project to control the printing of sensitive characters on Intelligent
Multifunction Printers, which will not only print watermark but also automatically filter key sensitive
characters and generate alarm reports to relevant supervisors to prevent the leakage of important
information. There were 39 printers installed in 2021, and gradually replaced in 2022.
方案
內容
Risk Assessment
Measures:We review risks and management measures
through ISO 27001 Information Security Management System and company-wide bi-weekly
Information Security Committee meetings, and submit bi-monthly reports. Achievements:In 2021, a total of 20 improvements
will be made, including the implementation of printing control, a platform for
business secrets and patent registration, the enhancement of information security of
network wireless receivers with real-name authentication of WiFi users, new Email
Defense Systems (detecting and blocking phishing emails), Two-Factor Authentication,
the improvement of file server backup and recovery speed, and centralized monitor
system for nearly 1,000 host devices, etc.
Training
• Through physical and digital E-based courses, regularly conduct 3 types of
education training and verification of "information security," "trade secret
protection" and "patent and copyright protection" to employees, to establish
employees' awareness of sensitive information protection, and implement trade
secrets inventory and classification management every year to protect Company and
customer data.
System and Network
Security Management
• According to the vulnerability database defined by Computer Emergency Response
Team (CERT) and Security Content Automation Protocol (SCAP), conduct two system
vulnerability scans and vulnerability repairs every year.
Terminal Computer Management
• Use the computer access control system to perform 3 software and hardware asset
(hardware change notification, software authorization, and software function
restriction) and 6 access behaviors (USB, CD burning, network storage, printing,
Bluetooth, and wireless network card) control.
Computer Room Management
Use the following three sets of
systems to support each other to construct a secure physical computer room
environment and to protect the system and customer data security:
Central Access Control System: Control the
entrance and exit of the computer room, allowing only authorized employees to
access, while retaining the entry and exit records. CCTV system: Have 24-hour full-area video
monitoring of the computer room, and through the sensing mechanism, automatically
send out an alarm when an abnormal intrusion occurs. Environmental Control System: Monitor the
environment (temperature, humidity, power) of the computer room 24 hours a day.
Anti-virus
and Anti-hacking Management
Strengthening Machine Protection:we have
introduced the management mechanism of machines’ virus-free certificates. The
machine will be connected to the network only after the vendors have provided
virus-free certificates and the machine has been tested by Unimicron to be
virus-free, and the antivirus audits are regularly conducted on the machines. Network Firewalls and Hacker Intrusion Detection and
Defense Systems:to detect, block and alert about external threats and
with the help of external information security organizations, provide Security
Operation Center (SOC) services, 24-hour round-the-clock information security
incident analysis mechanism.
2021 Information Security Training Course
Course
Participants
Total Number of Employees Trained /Number of
Employees That Should Be Trained
Course Hours
Completion Rate (%)
Information Security Advocate
Job level
5 (inclusive) and higher in Taiwan and Taiwanese employees stationed in Mainland
China (including DL)
3,990/4,018
1
hour
99.3%
Analysis
on the Law and Ethics of Business Secrets
3,990/4,018
1
hour
99.3%
Trade
Secret Advanced Course
3,990/4,018
1
hour
99.3%
Intellectual Property Rights
3,990/4,018
1
hour
99.3%
Note 1: The training starts from Aug 30 to Dec 6 in 2021, employees who should be
trained are Taiwanese and Taiwanese employees (including DL) stationed in Mainland
China at level 5 (or above) who have arrived at least three months before May 31,
2021.
Note 2: The employees on board since June 1, 2021, who have not completed the
training will be included in the training list for the following year.
Note 3: Of 28 employees who have not completed training, 21 employees were not
working during the training period, 3 employees were on long-term sick leave, 1
employee who was on leave, 1 employee who was on maternity leave, 1 employee who was
on training, and 1 employee who was on long-term leave.
Information Security Incident Notification Process
When an information security incident occurs, employees should immediately notify the unit head
following the "Unimicron’s Information Security Incident Notification Management Procedures." The unit
head will report to the information security officer, who will, following internal regulations,
determine whether the information security incident is a major abnormal event, whether it is a breach of
confidentiality, and whether it involves a first-level supervisor. After classification, It shall be
reported to the supervisor at that level and the responsible unit. If it is a major event, it must be
reported to the first-level supervisor, the business division's president, the Chief Information
Security Officer, and the Executive President. If it is a major abnormality and suspected leak event, it
shall be reported to the Human Resources Department and the Audit Office. If the leak is true, the
legal/personnel department will handle it by the law or Company regulations.
Occurrence of Incident
• Report immediately in accordance with the "Unimicron’s Information Security
Incident Notification Management Procedures"
Reporting Operations
• The unit head reports to the Information Security Officer
• The Information Security Officer classifies the information security incident
Handing of Leakages
• It shall be reported to the supervisor at that level and the responsible unit. If
it is a major event, it must be reported to the first-level supervisor and the
president of the business division, Chief Information Security Officer and the
Executive President
• If it is a major abnormality and suspected leak event, it shall be reported to the
Human Resources Department and the Audit Office
Handling of the Information Security Incident
• It shall be handled by the Legal Affairs/ Human Resources Department under law or
the regulations
Case
Closure
• If it is an information security
incident of level 3 or higher, the "Information Anomaly Incident Report" must be
filled out and submitted to the Information Security Officer or higher
2021 Information Security
Enhancement Measures
In 2021, Unimicron has no major information security incidents. In order to
continuously improve information security management, the following enhancement
measures have been completed. Network Traffic Control:
Strengthen internal and external cross-plant firewalls and abnormal traffic
detection and analysis capabilities, and implement endpoint computer data output
record checking Account Control: Enhance
multi-factor authentication and authorization control of jump hosts Backup Optimization: Improve data
backup and fast recovery framework Governance Policy: System
vulnerability scanning, 24-hour service and Security Operation Center (SOC)
services, USB management, mobile device management, information classification and
confidentiality system, printing control, information security training and phishing
drills, etc. Investing Resources: Established
the Chief Information Security Officer, the Information Security Task Force, and
joined the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT),
which is a security information-sharing organization.
▲ Information Security Incident
Description
2018
2019
2020
2021
Number of major information security concerns
0
0
1
0
Total
number of breaches of customer privacy
0
0
0
0
Total
number of customers affected by data breaches
0
0
0
0
Total
monetary value of significant fines for non-compliance with information
security concerns
