Topics | Information Security |
Policy | 「Information Security Policy」 |
Commitment | • Dedicated to ESG Governance Strategy, enhancing customer satisfaction and trust, and strengthening sustainable development |
Division | • Information Security Committee |
Resources Invested | • Cross-departmental collaboration through biweekly meetings to continuously review results |
Grievance Mechanism | • Representatives from Information Security Committee |
2022 Targets | • Major information security incidents: 0 |
Actions | • Strengthen the security of critical supply chain information and promote Transport Layer Security (TLS) |
2022 Achievements | Major information security incidents: 0 |
Protecting customers' intellectual property rights and business information is the focus of our business and business ethics management. Through a comprehensive "Information Security Policy" and the control of ISO 27001 Information Security Management System, Unimicron's main focus of information security in 2022 is supply chain information security management. As a key partner in our customers' upstream supply chain, Unimicron is committed to enhancing customer confidence and achieving better than industry average and key customer requirements through various third-party information security audit platforms, proving Unimicron's information security maturity is better than the standard.
In order to maintain the confidentiality, integrity and availability of the Company’s information assets, and to protect the privacy of customers and personal data, Unimicron has formulated an information security policy and hopes to achieve the following goals through the joint efforts of all employees in the Company:
Unimicron has set up an Information Security Committee to manage the information protection mechanism at the corporate level. In 2022, the Company established a Chief Information Security Officer (CISO) and a dedicated information security unit to lead biweekly information security meetings and improve operations through PDCA rolling reviews, including mechanisms such as internal information security advocacy and drills, asset inventory and classification, data access control, information security alerts, etc., regularly providing information security reports to the Chairperson of the Board of Directors and senior executives of our business divisions and obtaining international information security certification, to reduce information security risks and protect customer privacy.
Information Security Team | • Host security meetings • Formulating security policies and strategies |
Information and Communication Tech. | • Systems and technical management assessment • Security system maintenance and permission adjustment |
Human Resources | • Training scheduling and announcement • Staff regulations and reward/punishment process |
Audit | • Effectiveness assessments of security policies • Security incidents escalation and following |
Legal | • Security related laws and regulations following • Legal interpretation and consulting |
Intellectual Rights | • Trade secret and patents asset review and value definition assistance • Trade secret and patents system maintenance |
Strategic Business Unit | • Promoting security policies to departments and keep following • Submit feedback from departments and be bridges between business units and committee • Respond to security incidents in business units |
To protect customers' intellectual property rights and confidential corporate documents, in addition to a comprehensive information security policy and annual ISO/IEC 27001 Information Security Management System certification, Unimicron develops specific management related to the six major aspects of Risk Assessment, Terminal Computer Management, Computer Room Management, Anti-virus and Anti-hacking Management, System and Network Security Management, and Training to properly maintain customer data and information security.
During the pandemic period, the email application was promoted to cloud services, and virtualized desktops were used to support the operational resilience of remote working during the pandemic period. At the same time, a web application firewall was built to actively protect the information security vulnerabilities of the Group's external websites. In response to the full termination of support for Microsoft's IE browser, corrections of internal system compatibility were made, and Managed Detection and Response (MDR) service was also provided to strengthen Unimicron's overall information security protection and mitigate risks.
Email Drill | Test Subjects | Result | Enhancement Measures |
First Test | Employees with Email accounts | Open malicious link and enter account password: 0.6% (2.2% in 2021 / 3.1% in 2020) | For employees who failed the test, Unimicron has completed the second propaganda and arranged a test |
Retest | Employees who failed the first test (217 employees failed the test) | Open the malicious link and enter account password: 4 employees failed the test | Individual training by the supervisor |
Course | Participants | Employees Should Be Trained | Employees Trained | Completion Rate (%) | Course Hours |
Information Security Advocate | Job level 5 (inclusive) and higher in Taiwan and Taiwanese employees stationed in Mainland China (including DL) | 4,561 | 4,559 | 99.96 | 1 hour |
The Law and Ethics of Trade Secrets | 1 hour | ||||
Trade Secret Advanced Course | 1 hour | ||||
Intellectual Property Rights | 1 hour |
Note 1: The employees on board since April 1, 2022, who have not completed the training will be included in the training list for the following year.
Note 2: 2 employees who have not completed training, 1 employee was on long-term sick leave, and 1 employee was on maternity leave.
Note 3: The training starts from July 1 to Sep. 16, 2022, employees who should be trained are Taiwanese and Taiwanese employees (including DL) stationed in Mainland China at level 5 (or above) who have arrived at least three months before March 31, 2022.
In response to the increasing complexity of external attacks, Unimicron has adopted a defense-in-depth concept for information security protection by adopting protection mechanisms of deploying firewalls, mail filtering, endpoint security protection, Multi-Factor Authentication, and other protection mechanisms to protect information assets. We also use an external third-party information security testing platform as an objective basis to measure the maturity of information security. In 2022, we introduced Security Operation Center (SOC) mechanism to enhance the visibility of each information link and accelerate the response speed to information security incidents and adjusted the information security framework through regular audits to meet the requirements of continuous operations and regulatory authorities.
In 2022, in order to enhance the company's overall information security capabilities, the following management plans have been strengthened and completed.:
• Flow Control: Strengthen internal and external cross-plant firewall and abnormal flow detection and analysis capabilities, endpoint computer data output record check and analysis.
• Account Control: Strengthen multi-factor authentication and authorization control of bastion hosts.
• Backup Optimization: Data backup and instant recovery structure improvement.
• Governance Policy: Enhancing vulnerability scanning, 24H service, and Security Operation Center (SOC), USB management, hand-held mobile camera device management, information classification security system, printing control, employee information security training and phishing drills, etc.
• Investing Resources: Set up the Chief Information Security Officer (CISO) and a dedicated information security organization, and join the information security sharing organization Taiwan Computer Emergency Response Team / Coordination Center (TWCERT).
Description | Unit | 2019 | 2020 | 2021 | 2022 |
Major Information Security Concerns | Case | 0 | 1 | 0 | 0 |
Breaches of Customer Privacy | Case | 0 | 0 | 0 | 0 |
Customers Affected by Data Breaches | Customer | 0 | 0 | 0 | 0 |
Total Monetary Value of Significant Fines for Non-compliance with Information Security Concerns | NTD | 0 | 0 | 0 | 0 |