The Group's infocomm security management is planned by the subsidiary "Digicentre", with various plans implemented together with the relevant units.
Management Structure
●The Group has established an "Information Security Committee" to hold regular meetings on the coordination and discussion of infocomm security and policy plans, resource scheduling, and other issues related to infocomm security management. The Group's CEO serves as the convener and holds information security committee meetings every six months. The contents are as follows:
(1) Submit a description of major capital security incidents and improvements.
(2) Propose the introduction of important information security systems or protective mechanisms to reduce operational risks and enhance information security capabilities.
(3) Review and propose amendments to the Group's important information security policies, implementation of information security plans, adjustments to the information security organization, and related resource allocation.
(4) Report on the implementation and evaluation of the information security management of each unit.
●The Information Service Department of the Headquarters is the information security management unit responsible for the comprehensive management of the Group’s information security management work. In addition, a domestic professional information security company is appointed to serve as the information security technical consulting team to assist in the formulation (revision) of information security-related specifications, evaluation and suggestions regarding important information security mechanisms, monitoring and providing warnings regarding abnormal network connections, information security recommendations and professional training, information security testing and drills, handling and responses to major information security incidents, and audits of the information security management of the Group, in order to ensure that all units implement various information security management measures.
Infocomm Policy and Management
In addition to the necessary network/host defense architecture (such as VPNs, firewalls, intrusion detection, and antivirus software), each of the Group’s businesses has introduced a comprehensive information security mechanism to establish the Group's information security infrastructure, including:
●Cooperating with a well-known domestic information security company to comprehensively deploy an automatic alert mechanism for global endpoint threat analysis within the Group. Through its continuous threat hunting, root cause analysis applications, and situational awareness technology, it provides active response event analysis and accurate and effective alerts, as well as endpoint detection and response service reports on a weekly basis, and reviews the operation of the mechanism and potential threats with information security analysts on a monthly basis.
● Introducing a privileged account management mechanism that recycles and manages privileged accounts for important devices on personal computers and maintenance environments to proactively protect, isolate, control, and continuously monitor privileged accounts on virtual and physical servers, databases, network security devices, applications and other devices, thus reducing the risk of external attacks and internal malicious threats on operating systems and protecting confidential system data.
●Establishing the Group's SOC to collect various security-related information, provide early warning information on prior threats, immediate warning of in-process threats, and analysis and suggestions for subsequent threats, and effectively manage various information security alerts to enable the operation team to focus on the handling of important information security risks. Through information security monitoring, it is possible to instantly become aware of internal and external information security threats, and respond to information security incidents in real time, so as to minimize damage and achieve the goal of joint defense against information security threats.
●Establishing an encrypted digital ID and security authentication single account authorization mechanism. Through public key PKI digital encryption and multiple identity authentication technology, in addition to having the content of e-mail/confidential documents encrypted, internal cross site service accounts within the enterprise are integrated. With electronic signature and data encryption functions, internal processes on multiple platforms are automated and mobilized, thus ensuring the availability, , and integrity of internal data and services within the enterprise and effectively improving operational efficiency on the premise of safety.
●The Group is a full ecosystem network enterprise. In response to the current diversified distributed denial of service (DDoS) attacks, its various business services have introduced appropriate network DDoS protection mechanisms based on their service content and threats, actively analyzed DDoS attack packets, and used blocking and cleaning methods to mitigate their attack capacity to avoid server capacity overload or network congestion caused by DDoS attacks and ensure the provision of continuous operations and services.
●Integrating source code security detection (white box detection) and network service vulnerability detection (black box detection) into the operation system development and deployment automation (DevOps) process, allowing for efficiency, quality, and security in the process of software development and application services.
Management Resource Input
●Information security management and technical support:
(1) The Information Service Department of the headquarters is responsible for formulating the Group's information security management policies and related regulations, establishing an OA information environment and services based on high information security standards, deploying a group-wide monitoring mechanism, establishing strict management procedures for identity authentication, access authorization, data backup and information security auditing, and coordinating and managing the Group's various information security planning and implementation.
(2) Each operation team of the Group specifies the appointment of a resource security officer to implement the Group's requirements for the deployment of an operational environment, resource security mechanism, and related management work.
(3) In addition to assisting in deploying various security mechanisms, the Information Security Technical Support Team also provides 24/7 automated threat monitoring, event analysis, and alert processing services.
●Annual budgeting:
Based on the information security management plan and results of each operation group, a budget is prepared after annual review for the deployment of the information security protection monitoring mechanism and information security testing.
Information Security Certification
●The Group continues promoting the achievement of international information security certification.
●Relevant certification information: Please refer to the archives (Group wide)