I. Scope
- IEI Integration Corp. (IEI) has established this policy to enhance information security management and ensure the confidentiality, integrity, and availability of the company's information assets, including personnel, software, hardware, data, building protection, and services.
- The goal is to provide a continuous operational information environment for the company's information services and to comply with relevant regulatory requirements, protecting against deliberate or accidental threats both internally and externally. This policy, formulated by top management, aims to prevent non-compliance issues through effective system operations and continuous process improvement, thereby achieving the purpose of information security.
II. Applicable Area
-
2.1
-
IEI has established an information security management system based on actual needs and in compliance with government and relevant legal requirements. To ensure the confidentiality, integrity, and availability of information, we utilize the IEI organization panorama evaluation table [6.1] to define the scope of this system. This includes the operation and maintenance of the information security management system, covering information services, data center maintenance and operations, and the security management of ERP, MES, EDI, PLM, and system maintenance. We fully understand the processes of information operation and management, meeting all security requirements and expectations.
The initial intention behind establishing our information security management system and the results of its implementation should consider the information security issues raised by internal and external units, as well as the expectations and requirements of stakeholders for the information security management system. These aspects should be included in the scope of objectives and performance evaluation. These information security-related issues, expectations, or requirements should be incorporated into risk assessment and risk management to ensure that the information security management system achieves the expected results and continues to improve. Additionally, the risk evaluation process must identify risk owners.
IEI should establish information security objectives at relevant departments and levels, which should correspond or link to the information security policy. These objectives must:
- Be measurable.
- Have methods for measuring effectiveness.
- Have specified completion dates.
- Have responsible personnel (or responsible units).
-
IEI information security policy is established as follows:
-
- Effectively ensure the confidentiality, integrity, availability, and legality of important information.
- Ensure that information security objectives are consistent with the policy and periodically evaluate their applicability.
- Clearly define the responsibilities and authorities related to information security tasks.
- Operate the information security management system to meet and fulfill the requirements and expectations of internal and external stakeholders, including legal and related agreement requirements.
- Operate information security management according to the operational standards set by this management system and implement them thoroughly.
- Ensure that changes to the system or procedures do not affect established information security commitments and agreements.
- Continuously improve and enhance the company's information security management system.
-
To effectively support the implementation of the aforementioned high-level policy, IEI has established the following "Topic-Specific Policies" to ensure the corresponding control measures are applied:
-
- Implement access control management.
- Effectively execute the masking of important information.
- Enforce physical and environmental security controls, including monitoring of critical areas.
- Manage information assets.
- Ensure the security of information transmission.
- Securely configure and handle user endpoint devices.
- Execute network security controls.
- Properly perform network operation monitoring activities.
- Manage information security incidents.
- Implement backup management.
- Perform key management.
- Properly classify and handle information.
- Regularly conduct technical vulnerability management.
- Execute secure system development controls.
- Establish and implement a cloud service information security management mechanism.
-
2.2
-
Information security management encompasses four control measures to prevent incidents such as improper use, leakage, alteration, or destruction of data due to human error, malicious intent, or natural disasters, thereby mitigating various potential risks and harms to the company. The control measures, according to ISO 27001 information security system Annex A, sections A.5-A.8, are detailed as follows:
- A.5 Organizational control measures.
- A.6 Personnel control measures.
- A.7 Physical control measures.
- A.8 Technical control measures.
-
All internal personnel, outsourced service providers, and visitors must comply with this policy.
-
2.3
-
Responsibilities
- The Information Services Department of IEI is responsible for formulating this policy, which will be implemented upon review and approval by the management.
- The Information Security Manager shall implement this policy through appropriate standards and procedures.
- All personnel and outsourced service providers must follow the relevant security management procedures to maintain the information security policy.
- All personnel are responsible for reporting information security incidents and any identified vulnerabilities. Preventing potential information security threats may be rewarded appropriately based on the situation.
- Any actions that endanger information security will be subject to civil, criminal, and administrative liabilities, or penalties according to the company's relevant regulations, depending on the severity of the violation.
III. Definitions
-
3.1Information Assets: Refers to the personnel, software, hardware, data, building protection, and services necessary for maintaining the normal operations of the company's information business.
-
3.2Information Environment for Business Continuity: Refers to the computer operating environment required to maintain the normal operations of the company's various businesses.
IV. Objectives
- To maintain the confidentiality, integrity, and availability of IEI information assets and safeguard user data privacy, the following goals will be achieved through the collective efforts of all employees:
-
4.1Protect the company's business information from unauthorized access.
-
4.2Protect the company's business information from unauthorized modification, ensuring its accuracy, completeness, and availability.
-
4.3Establish a cross-departmental information security organization to formulate, promote, implement, and evaluate improvements in information security management to ensure the company has an information environment suitable for business continuity.
-
4.4Conduct information security education and training to promote employee awareness of information security and strengthen their understanding of related responsibilities.
-
4.5Implement an information security risk assessment mechanism to enhance the effectiveness and timeliness of information security management.
-
4.6Implement an internal audit system for information security to ensure the implementation of information security management.
-
4.7Ensure that the company's business activities comply with relevant laws or regulations.
-
4.8Continuous improvement commitment to information security management system: All employees of the company must implement the information security policy in accordance with relevant information security management procedures. Employees are responsible for reporting information security incidents or suggesting enhancements to information security. Preventing potential information security threats may be rewarded appropriately based on the situation. Similarly, engaging in any behavior endangering information security will be subject to penalties according to the severity of the violation, to maintain the company's information assets and safeguard the privacy and security of company and customer data.
-
4.9Cloud service providers must ensure secure isolation between cloud service customers.
-
4.10Cloud service providers must not access or touch customer assets during cloud service operations unless with customer consent for operational needs.
-
4.11The internal operations and management environment of cloud service providers must be distinctly separated from the operating environment of cloud service customers.
-
4.12In the event of changes in cloud service operations, cloud service providers must notify cloud service customers in accordance with contract requirements or engage in necessary communication.
-
4.13When a customer terminates cloud services, cloud service providers must erase all customer information assets to ensure customer rights and cloud service information security.
-
4.14Cloud service providers should clearly define relevant information security measures in agreements (contracts) to prevent any misunderstandings between parties.
-
4.15Cloud service providers must maintain effective maintenance for customer data and cloud service functions, and establish access control mechanisms.
V. Responsibility
-
5.1The management level of the company establishes and reviews this policy.
-
5.2The Information Security Manager implements this policy through appropriate standards and procedures, following relevant regulations on information security and personal data protection.
-
5.3All personnel and outsourced service providers must adhere to relevant security management procedures to maintain information security policies.
-
5.4All personnel are responsible for reporting information security incidents and any identified vulnerabilities.
-
5.5Any actions endangering information security will be investigated, and individuals will be held accountable for civil, criminal, and administrative liabilities or subject to disciplinary action according to the company's relevant regulations.
