Information security policy management
- Information security risk management framework
In order to promote the effectiveness of the implementation of the corporate information security management system, the Information Security Committee was established in Feb 2022 and obtained ISO 27001 in July 2022. In accordance with the specifications of ISO 27001, the company’s information department holds regular or necessary meetings every year to review matters related to information security management, so as to reduce information security risks and enhance information security awareness, effectively protect the company’s and customers’ operational information and provide good information security governance.
- Information Security Management Organization
In order to improve the company’s overall information service management performance, ensure the consistency of information and business needs, and effectively manage information security work, the Information Security Committee is established. The deputy general manager of the Management Department is the chairman, the Executive Secretary is the top director of the information department, and the Information Security Promotion Team, Internal Audit Team and Emergency Response Team are established under the Information Security Committee. Review and revise the Company’s information security policies and specifications in accordance with the Company’s operational needs, changes in laws and regulations, customer security needs, technological changes and acceptable risk assessments.
Organizational operation mode – adopt PDCA (Plan-Do-Check-Act) to ensure that our reliability goals are achieved and continuously improved. The Audit Office conducts audits in accordance with the annual audit plan and reports to the Board of Directors.
- Invest resources in ICT (information and communication technology) security management
In order to protect against emerging malicious threats, Nafco has strengthened information security-related construction
- Establish a network entity isolation and supervision mechanism to effectively prevent and eliminate external threats
- Establish an anti-virus system and an active defense alarm platform to strengthen the monitoring of known and unknown information security threats.
- Build a server redundancy platform and multiple backup systems.
- Continue to implement information security education and case promotion, and include it in the compulsory courses of employee education and training to enhance employees’ information security awareness.
- Amend various risk factors and corresponding actions in a timely manner to strengthen the company’s internal information security.
- Information Services Continuity Plan
In order to ensure that information services can minimize the impact on business and resume operation in the shortest possible time by taking appropriate response measures in the event of sudden major disasters, the Company has formulated a continuous management plan for information services, and conducts annual drills and reviews to maintain resilience and the company’s continuous operation