Hy Electronic (Cayman) Limited

Search
0 0 0

Investors

Investors

Company Overview
Financial Information
Corporate Governance
Investor Relations Column
TWSE Ticker Symbol 6573
Management of information security

To strengthen the information security management of our company and ensure the security of data, systems, and networks, we have established an information security management office. This office is staffed with one dedicated information security manager and one information security officer. Their primary responsibility is to ensure the operation of the information security management system, identify internal and external issues related to information security management, and address the requirements and expectations of stakeholders regarding information security. Additionally, the information security management office reports to the Board of Directors at least once a year on the execution status of information security initiatives, major issues, and plans.

Information Security Risk Framework

A cross-department information security management team is convened by the Company's president. The information department and administrative management department are responsible for leading and planning, and all business-related units cooperate in execution to confirm the effectiveness of the Company's information security management operations.

The team is responsible for formulating information security management policies and conducting regular reviews and revisions.

The team convenes regular meetings to review implementation progress and reports annually to the Board of Directors on execution status and reviews.

Information security objects and scope

Target audience: including employees, customers, suppliers and shareholders, as well as operation-related information software and hardware equipment.
Scope: To ensure the information and communication security of the company, establish relevant rules and regulations, apply technological and data security standards, and incorporate them into the management operating system to protect the privacy and ensure the information and communication security when employees, suppliers, and customers conduct business dealings.

The 2023 information security implementation report was submitted to the Board of Directors on March 13, 2024.

  • Information Security Management Objectives

    • To maintain the continuous operation of each information system
    • To prevent hackers and various viruses from invading and damaging
    • To prevent improper and unlawful use of human intent
    • To prevent leakage of sensitive information
    • Avoiding human error accidents
    • Maintain physical environment and information security facilities and management methods

  • Information security facilities and management methods

    • Computer equipment security management
      • The company’s computer hosts, application servers and other equipment are set up in a dedicated server room, which is accessed by induction swipe cards, and access records are kept for inspection.
      • The computer room is equipped with independent air conditioning to maintain the operation of computer equipment in an appropriate temperature environment; and Co2 fire extinguishers are placed for general or electrical fires.
      • The mainframe of the server room is equipped with non-stop power supply equipment to avoid system crashes caused by unexpected power outages and to ensure that the operation of computer applications will not be interrupted during temporary power outages.
    • Network Security Management
      • The entrance to the external network is equipped with an enterprise-level firewall to block illegal hacker intrusion.
      • Connections with subsidiaries are made through leased lines to avoid illegal extraction of data during transmission.
      • To access the ERP system from remote access to the company's internet, employees must apply for a VPN account and log in through the VPN security method, and all usage records are kept for audit.
      • Configure Internet access management and filtering devices to control Internet access and block access to harmful or policy-unacceptable network addresses and content to strengthen network security.
    • Virus protection and management
      • Anti-virus software is installed in the server and colleague terminal computer equipment, and virus codes are automatically updated to ensure that the latest viruses are blocked and potentially threatening system executable files are detected and prevented from being installed.
      • The email server is equipped with email anti-virus and spam filtering mechanisms to prevent viruses or spam from entering the user's computer.
    • System access control
      • System accounts are created by the Information Technology Division through the company’s internal system permission application process and approved by the responsible supervisor, and access is authorized by the system administrator according to the requested functional authority.
      • The password of the account is set with the appropriate strength and number of letters and must be a mixture of letters and special symbols in order to pass.
      • When a colleague goes through the process of leaving (retirement), he or she must meet with the Information Service Department to delete each system account.
    • To ensure the sustainable operation of the system
      • System backup: A cloud backup system is built and a daily backup mechanism is adopted. In addition to the backup in the cloud storage, a copy is stored on each NAS server in the computer room to ensure the safety of the system and data.
      • Disaster Recovery Exercise: Each system implements an exercise once a year, and after selecting the restoration date reference point, the backup media is stored back on the system host, and then the user confirms the correctness of the restored data in writing to ensure the correctness and validity of the backup media.
      • Two data lines from telecommunication companies are leased, and through bandwidth management equipment, the two lines are connected in parallel for mutual backup to ensure uninterrupted network communication.
Information security execution status:

  • Education and Training

    • The Administration Department conducts induction training (including information security related) for new employees.
    • 2023/11/08 Implement information security promotion and information general education training (Taipei Branch, 1 hour, 6 people).
    • 2023/07/18 Implement information security promotion and information general education training (Yangzhou subsidiary, 1.5 hour, 21 people)

  • Information Security Promotion

    • The firewall equipment maintenance manufacturer completed the 2023 annual inspection project of information-information security promotion.
    • 2023/12/05 All the employees announced the information security policy.
    • Conduct annual computer maintenance inspection from 2023/04 to 2023/11 to raise employees' awareness of information security (Yangzhou subsidiary).
    • 2023/05/02 All the employees were announced dissemination of information security awareness - risk reminder for Chat GPT chat bot usage.

  • Information Security Management

    • Real-time update of server and terminal computer system operation: normal.
    • Real-time update of anti-virus and anti-hack operations of servers and terminal computers: normal.
    • Instantly detect the line to ensure the stability of the line so that the operation is not interrupted: normal.
    • Monthly review of anti-spam operation status: Normal.
    • Perform monthly backup of important systems: Achieved.
    • Complete information system shutdown and conduct annual UPS maintenance test on 2023/03/12.
    • Completed Information Services - 20230725-A - System Disaster Recovery Plan Exercise.
    • The computer login password system automatically requests personnel to change it periodically. Failure to do so will result in an automatic lockout.
    • Completed the information security self-assessment form and information asset inventory survey form on 2024/02/16.
Information security audits:
  • Information system authority and network account-related authority application. All applications are reviewed and approved in accordance with the company’s approval level and electronic signature process.
  • All the personnel will be deactivated by the system administrator according to the electronic sign-off process.
  • The internal information cycle audit (Taiwan Branch) is completed on 2022/11/11.
  • The internal information cycle audit (Yangzhou subsidiary) was completed on 2022/11/23.
  • The ERP system account privileges were reviewed and confirmed by the department head on 2022/12/13.
Information security execution results:

There were no information security incidents that affected the Company's operations in 2023.