Sign up for our news
Messages
Thank you for your subscription, the latest issue of the newsletter will be automatically sent to your designated mailbox. Please set Unimicron’s email as trust mail.
Thank you.

Information Security

Information Security

To safeguard the confidentiality, integrity, and availability of information assets, and to protect customer privacy and personal data, We have established an "Information Security Policy." Through the collective efforts of all employees, the Company aims to achieve:

Confidentiality
Ensure that only authorized personnel can obtain information and avoid information leakage.
Integrity
Ensure that information is not subject to unauthorized tampering and the correctness of information processing methods.
Availability
Ensure that authorized users can obtain information and use related assets when needed.

Information Security Committee

Unimicron has set up an "Information Security Committee" to manage information protection in Taiwan Facilities and Mainland China Facilities. In 2022, the Company established a Chief Information Security Officer (CISO) and a dedicated team to lead biweekly meetings and improve operations through PDCA reviews, such as internal advocacy and drills, asset inventory and classification, data access control, alerts, etc., regularly reports to the Chairperson and senior executives. Also, obtaining international certification, to reduce information security risks and protect customer privacy. In 2023, the CISO reported to the Board of Directors. A summary is as follows:

  • Define and promote key information security indicators across the Group.
  • Present trends from key customer information security assessments.
  • Assess internal and external risk and align with information security projects.
  • Summarize the 2023 activities of the Information Security Committee.
  • Outline the status and development plan for information security talent.
In 2023, the Company met the information security requirements of customers and passed third-party audits without major deficiencies. No violations led to customer data breaches or fines.
Information Security Team
  • Host security meetings
  • Formulating security policies and strategies
Information and Communication Tech.
  • Systems and technical management assessment
  • Security system maintenance and permission adjustment
Human Resources
  • Training scheduling and announcement
  • Staff regulations and reward/punishment process
Audit
  • Effectiveness assessments of security policies
  • Security incidents escalation and following
Legal
  • Security related laws and regulations following
  • Legal interpretation and consulting
Intellectual Rights
  • Trade secret and patents asset review and value definition assistance
  • Trade secret and patent system maintenance
Strategic Business Unit
  • Promoting security policies to departments and following
  • Submit feedback from departments and be bridges between business units and committee
  • Respond to security incidents in business units

Information Security Program

To safeguard customers' intellectual property and confidential documents, Unimicron has established a comprehensive “Information Security Policy” and secures ISO/IEC 27001 certification annually. We conduct risk assessments, training, and manage cybersecurity, system operations, terminal computers, abnormal behavior detection, IDC management, and anti-virus and anti-hacking measures at our Taiwan and Mainland China Facilities. The addition of a Security Operation Center (SOC) enhances our monitoring and incident response capabilities. We continuously review and refine our security framework to meet business continuity needs and regulatory standards, ensuring customer data security.

Risk Assessment
  • Measures: We assess risks and management measures using ISO 27001 and biweekly committee meetings, with reports submitted every two months.
  • Outcome: Enhanced the security of the supplier data exchange platform by transitioning from FTP to SFTP, fortified protection for 823 high-risk machines, expanded the SOC to Unimicron Technology (Suzhou), and developed SOPs for biometrics access control, cloud architecture, and information security reviews.
Training
  • We offer three regular training sessions—on "Information Security," "Trade Secret Protection," and "Patent and Copyright Protection"—both in-person and online. We also perform an annual inventory and classification of trade secrets to protect Company and customer data.
Abnormal Behavior Detection
  • Increase Managed Detection and Response (MDR) on 337 important machines in key plants.
Terminal Computer Management
  • Minimize administrative privileges by reclaiming administrator access for users in Taiwan and Mainland China Facilities.
Anti-virus and Anti-hacking Management
  • Establish a vulnerability management system and tracking mechanism.
  • Implement network firewalls and intrusion detection systems to detect, block, and alert external threats. Collaborate with external security organizations for SOC services and 24-hour round-the-clock incident analysis.
System and Cybersecurity
  • Completed 12 vulnerability scans and bug fixes in line with "Cyber Security Control Guidelines for TWSE/TPEx Listed Companies" and customer requirements.
  • To strengthen software security under the "Cyber Security Control Guidelines for TWSE/TPEx Listed Companies," we initiated a source code scanning project in 2023, correcting all identified risks with a 100% correction rate. The next phase will focus on key internal projects to further improve security and reduce repair costs.
  • Enhanced machine visibility with a new registration system, improving transparency of software and hardware.
  • Implemented encryption for the Group's HR system in response to increased fines for personal information protection by the Legislative Yuan.
  • Scanned and mitigated risks for specific brands of industrial control equipment and PLCs.
IDC Management
To secure the physical IDC and protect customer's data, we utilize the following systems to build a secure environment:
  • Central Access Control: Regulates access, logs entries and exits, and integrates facial recognition.
  • CCTV System: Provides 24-hour surveillance with automatic alarms for intrusions.
  • Environmental Control: Monitors temperature, humidity, and power continuously.

2023 Information Security Management Results

Definition and Management of Machine Risk

Classifying the machines of each plant into 4 levels, A, B, C, and D, based on the level of protection and resilience, 823 high-risk (level A) machines have been mitigated.

Supply Chain Information Security Management

326 key suppliers are required to implement Sender Policy Framework (SPF) and Transport Layer Security (TLS) to ensure data safety during exchanges.

Internal Information Security Advocacy and Drill
Training Course
CourseParticipantsEmployees Should Be TrainedEmployees TrainedCompletion Rate (%)Course Hours
Information Security AdvocateJob level 5 (inclusive) and higher in Taiwan and Taiwanese employees stationed in Mainland China (including DL)5,0745,04999.513
The Law and Ethics of Trade Secrets
Trade Secret Advanced Course
Intellectual Property Rights

Note 1:The training starts from July 1 to Sep. 8, 2023. Therefore, employees who took up the job before March 31, 2023, are required training. Also, those who have not completed the training and started their duties on or after April 1, 2023, will be included in the roster for the following year.

Note 2:Among the 25 untrained persons, 1 was on injury leave, and 1 was on long-term sick leave.

In 2023, we conducted three unannounced phishing email drills per employee and held a company-wide E-Learning information security course in Q4 to boost employee awareness.
Drill
Email DrillTest Subjects ResultEnhancement Measures
First TestEmployees with Email accountsOpened malicious link and entered the account password: 0.7% (64 people)For employees who failed the test, Unimicron has completed the second propaganda and arranged a test
Retest (3 times)Employees with Email accountsOpened malicious link and entered the account password: 0.08% (5 people)Individual training by the supervisor

Information Security Incident Notification Process

Occurrence of Incident
  • Report immediately per "Unimicron’s Information Security Incident Notification Management Procedures.
  • Report immediately following "Unimicron’s Information Security Incident Notification Management Procedures".
Reporting
  • The unit manager reports to the CISO.
  • The CISO classifies incidents as major anomalies, confidentiality breaches, or issues related to the first-level supervisor.
Handing of Divulgence Information
Report to the supervisor and responsible unit. Major incidents must be reported to the first-level supervisor, SBU President, CISO, and Executive President. Major anomalies and suspected leaks also require reporting to HR and the Audit Office.
Handling the Incident
If the incident is a breach of confidentiality, it will be handled by the Legal or HR Division according to legal and internal regulations.
Case Closure
For level 3 or higher incidents, an "Information Anomaly Incident Report" must be completed and submitted to the CISO or higher.

Information Security Incident

DescriptionUnit 2020202120222023
Major Information Security IncidentCase1000
Breaches of Customer PrivacyCase0000
Customers Affected by Data BreachesCustomer0000
Total Monetary Value of Significant Fines with Information Security IncidentNT$0000
Now:Home / Solid Governance / Corporate Governance/ Information Security