Faced with various information security threats nowadays, CTCI has adopted ISO 27001 standards for information risk management since 2014, and is committed to reduce the probability and impact of security risks as well as improve the company's ability to carry on business operations. An information security promotion committee was also established, with President Michael Yang, who is one of the board members, serving as the chairman of the committee. The committee is responsible for the promotion of information security and holds at least one information security management review meeting every year, where they review the risk assessment report, ""risk treatment plans,"" and other matters related to information security management.
A complete notification process has been set up for information security-related issues. Mr. Gino Tsai, Chief Information Officer and the Executive Secretary of the Information Security Promotion Committee (with a master's degree in information management from National Taiwan University), reports the effectiveness of security management to the board of directors every year on behalf of the Information Security Promotion Committee. Director Johnny Shih, who has a master's degree in computer science and an MBA degree from Columbia University in the United States, has solid IT background and is able to provide professional advice related to information security.
▼ Information Security Team -- Information Security Promotion Committee
▼ Four Major Goals of the CTCI Information Security Policy
▼ The Management Cycle of Information Security System
Information Security Risk Assessments
Through the annual information security risk assessments, CTCI has analyzed the possible threats and weaknesses, which include:
Investments and Trainings on Information Security
CTCI continues to invest resources in information security every year, including strengthening information security facilities, improving security management systems, and providing education and trainings, and among others. They are fully implemented in terms of management to technical aspects, so as to boost overall information security. To prevent incidents from happening, we not only perform operation drills at Kaohsiung's backup computer facility every year, but also incorporate weekly remote backup, storage, and testing of important system data, as well as biannual weak spot scanning into security operations.
Social engineering attack drills are conducted quarterly in order to increase information security awareness, where we would randomly pick employees to participate. In 2019, 6,104 people were selected to take part in the drill. Information security announcements were published on the company’s internal website so that employees could learn how to use email safely, and the announcements were read by 1,711 employees. We also carried out security trainings specifically designed for the system management employees from the Engineering Division and the IT Division. The total hours of various security trainings was 365 hours. Courses include: understanding social engineering attacks, ISO 27001 information security management operations, key points in program security development, and network security and management.
▼ Information Security Management Outcomes
▼ ISO 27001 Certification