- To enhance information security management, Jia Wei has appointed the Information Management Office to be in charge of information security management, and to plan, supervise, and implement governance and control over inter-departmental information security in Jia Wei and subsidiaries.
- Implementation results: based on organizational structure, the President has been designated as the highest-ranking supervisor for information security, while the manager of the Information Management Office serves as the representative of information security management. Information security representatives appointed from each department have held "information security meetings" to review the developmental objectives and strategies for information security so as to maintain a stable information security review mechanism.
- The information security governance report and results are reported to the Board of Directors meetings.
Information security policy
- Jia Wei has established information security management rules in line with applicable laws and regulations to provide proper protective measures over our information assets, and to ensure their confidentiality, completeness, usability, and legal compliance.
- We regularly evaluate the effects of various manmade and natural disasters on our information security. To ensure business continuity, we have also established disaster prevention measures for important information assets and critical business as well as disaster recovery plan.
- We supervise our staff to fulfill information security and protection, and to instill an awareness for "information security is a part of everyone's responsibility" in order to enhance the awareness for information security in each business unit and personnel.
- Jia Wei requires all employees and vendors who use or connect to Jia Wei's computer systems to strictly abide by our information security regulations. Violators will be either penalized or fined based on contract terms based on the condition of the violation, and in case of severe violation, will be further punishable by applicable laws.
Jia Wei has signed electronic equipment insurance with contractors for operational assets such as the ERP system, network equipment, and servers, and we prevent theft or malicious damage through security monitoring and environmental monitoring system.
In response to challenges to information security such as advanced persistent threat (APT), distributed denial-of-service attack (DDos attack), ransomware, social engineering attacks, or information theft, the following strategies have already been adopted:
In response to external threats:
- Built network firewalls and launched automatic information security signature to prevent external attacks and penetration to the internal network.
- Provided an application server, set in an independent internal network area, for external network connections, and only specific personal computers are allowed to connect to the network for maintenance.
- Asked the network service provider to enable network risk prevention services to avoid possible losses caused by external networks.
Jia Wei's internal management:
- We have reviewed whether risks of single-point deficiency exist in relevant structures and maintenance and operating systems, and conducted risk analysis over the adequacy of business continuity operation. Results and recommendation over the safety evaluation of information framework have also been proposed.
- Reviewed the access records of network, information security equipment and services, and whether account authorization and monitoring mechanism comply with internal control procedures; we have also checked the account authority and access records of such equipment to identify abnormal records and to confirm warning mechanism.
- Reviewed server settings (e.g. Active Directory of the domain service) regarding "password setting guidelines" and "account lock down guidelines"; and reviewed whether the domain safety principles comply with internal control standards through analytical tools and manual procedures.
- Installed protective programs at the terminal equipment to avoid possible infiltrations.
- The Information Management Office always pays attention to changes and trends in the information environment, and references technical papers, data, and industry information security news to draft information security and protection mechanism and programs, and to undertake relevant information security promotions. We have strengthened the staff's awareness on information security crisis and their
responsiveness, in order to prevent in advance and to effectively identify and prevent proliferation in a timely manner.