首頁 / Corporate Governance / Information Security policy
Stakeholders

Information Security

In April 2020, FIS implemented the Information Security Management System (ISMS). On October 16, 2020, and April 7, 2021, after rigorous scrutiny by professional audit teams from TUV and BSI, we successfully obtained ISO/IEC 27001:2013 certification. FIS will continuously strengthen the company’s information security measures to ensure the confidentiality, integrity, and availability of information, enhancing information security protection for both the company and its clients.

※ The ISO 27001 certificate is valid from April 7, 2021, to April 6, 2024.

Information Security Policy:

  1. Objective
    To enhance information security management, ensuring the confidentiality, integrity, and availability of owned information assets to provide a continuous operational environment for the company’s business. This policy aims to comply with relevant regulations and protect against intentional or accidental internal and external threats.

2. Applicability
Information security covers 14 management issues to prevent improper use, disclosure, alteration, or destruction of information due to human error or natural disasters, bringing various risks and harms to the company. The management issues include:

2.1Information security policy.

2.2Information security organization.

2.3Human resources security.

4 .Asset management.

2.5Access control.

2.6Cryptography.

2.7Physical and environmental security.

2.8Operational security.

2.9Communication security.

2.10System acquisition, development, and maintenance.

2.11Supplier relationships.

2.12Information security incident management.

2.13.Information security aspects of business continuity management.

2.14 Compliance.

3. Company Information Security Policy

Information security is everyone’s responsibility, ensuring the confidentiality, integrity, and availability of company information.

3.1 The company establishes information security objectives and target values to evaluate policy implementation.

3.2 The company implements necessary control measures and provides required resources based on information security policy and risk assessment results.

3.3 The company establishes the information security management system to achieve continuous improvement through system operation.

4. Information Security Organization

4.1 The Information Security Management Committee, led by management representatives, is responsible for establishing, implementing, and maintaining various information security standards to coordinate and discuss matters related to the company’s management system and resource allocation.

4.2 Establish a “Information Security Organization Member List” to ensure clear task assignments and effective communication within ISMS.

4.3 Information Security Management Committee Organization Cha

5. Statement of Applicability

In accordance with the “ISO 27001:2013 Information Security Management System – Requirements,” a “Statement of Applicability” is produced. This document lists, in written form, whether information assets are applicable to the control measures specified in the standard and the reasons for their inapplicability. When there are changes in organizational structure, personnel, equipment, physical environment, etc., the ISMS security team should redefine the applicability of control measures.

6. Review

This policy should undergo at least one review per year to reflect the latest developments in government regulations, technology, and business, ensuring the company’s continuous operation and information security operational capability.

7. Implementation

7.1 Information Security Policy review is conducted in conjunction with management review meetings.

7.2 This policy is implemented after approval by the Director. The same applies to revisions

*The three main elements of information security, commonly referred to in the industry as “CIA,” include Confidentiality, Integrity, and Availability.

FIS and its subsidiaries’ 2023 Cybersecurity Management Implementation Report:

(1) Specific Management Plans

  1. Implement a defense-in-depth architecture through encryption of critical sensitive data, endpoint protection, and network gateway protection. Combine mechanisms such as network access control and email protection to prevent external network attacks and internal leakage.
  2. Establish access control, identity verification for login systems, password management, access authorization, and conduct vulnerability scans as audit mechanisms. Install antivirus software, update original security patches, and establish backup mechanisms to strengthen endpoint protection.
  3. Set up information security protection systems to prevent computer viruses or malicious programs from affecting information system services or probing confidential data.
  4. Conduct regular information security education and training for employees to enhance their awareness of information security risks.
  5. Regularly review information security protection measures, focus on information security issues, and ensure their appropriateness and effectiveness.
  6. Establish a multi-layered information system and data backup mechanism to ensure the availability and integrity of information security.

(2) Resources Invested in Cybersecurity Management in 2023

The company allocates an annual budget for relevant cybersecurity, conducting timely replacement, upgrades, and updates of cybersecurity hardware and software equipment. Procure cybersecurity detection tools such as antivirus software, vulnerability scanning, and source code detection to enhance enterprise information security protection capabilities. Organize information security management and execution teams to plan, execute, audit, and improve information security management operations, reducing enterprise information security threats from system, technical, and procedural perspectives, establishing confidential information protection services that meet customer needs and the highest standards. Outsource cybersecurity professional consultants and certification companies for external audits, guidance, and certification, establishing a rigorous information security system and operational mechanism.

  1. On November 10, 2023, appointed Deputy General Manager Chen Pao-Fu of the Information Department as the responsible person for information security and designated information security responsible personnel.
  2. To strengthen information security management technology, dispatched 20 staff members for external education and training in 2023, totaling 755 hours.
  3. To enhance information security protection capabilities, purchased cybersecurity-related hardware and software equipment in 2023, totaling NT$1.26 million.
  4. ISO 27001 certification passed the annual review.

 

(3) Major Cybersecurity Events:

No major cybersecurity events occurred in 2023. The implemented antivirus software and network firewall equipment block external malicious attacks and intrusions, thwart and isolate intrusion activities and files with security concerns. The established multi-layered information system and data backup and recovery measures maintain the normal operation of the company’s various information systems.

 

*The annual report on the implementation of cybersecurity management was presented at the board meeting on December 28, 2023.