I. Information Security Governance System, Goals and Strategies
GUC aims at building a tight and effective information security defense network as its information security vision. With consistency in information security governance, the Company is gradually improving its comprehensive protection capabilities, and hopes to become an enterprise with outstanding performance and maturity in information security governance. The Information Security Department is in overall charge of the information security system and relevant compliance. It also promotes the implementation of relevant operations to continue the improvement of information security awareness and professional capabilities. Through the application of technologies, the information security risks and weaknesses are identified, for which effective reinforcement measures are taken to build up a sound governance system and comprehensive information security protection capabilities, and meanwhile to cultivate employees' information security awareness.
II. Security Policy Implementation
1. Formulate information security management guidelines in line with regulatory and customers’ requirements.
2. Build a consensus on the comprehensive implementation of information security protection through all employees’ awareness.
3. Protect the confidentiality, completeness, availability and legal compliance of the Company’s and customers’ information.
III. Security Organizations
1. Security Committee
The "Information Security Committee" is responsible for the management and planning of information operations security, and the establishment and maintenance of information security management systems. As the top information security supervisors, they oversee the execution of the company’s entire information security operations and the efficacy of the information security risk management mechanism, report to the chief financial officer and responsible governance supervisors, update the progress in the management meeting of senior executives each quarter, and present the execution outcome of the overall information security management organization related information security operation and system to the Board of Directors each year. A “meeting of information security representatives” is held at least once per year and the meeting participants cover the responsible personnel of relevant information systems and external information security consultants in a number exceeding 13 persons to review the information security development plans and implementation results, and to announce policies related to information security and implementation focuses.
2. Proprietary Information Protection (PIP) Committee
PIP Committee: The PIP is constituted by the representatives designated by supervisors of the respective divisions of the entire company (including its branches throughout the world). The committee has a total of 20 colleague members including the chairperson; the executives at the vice general manger level holds quarterly meetings, responsible for the research/discussion, establishment, audit, promotion, etc. of all the Company’s proprietary information control operations. Protecting proprietary information is GUC's commitment to customers, shareholders and the Company’s employees. GUC understands that proprietary information protection is closely related to the Company's current and future competitive advantages. Thus, the《Proprietary Information Protection (PIP) Policy》has been formulated to clearly define the Company's proprietary information protection management procedures and regulations, by which the Company can properly control its trade secrets and undisclosed confidential information related to GUC to ensure the best interests of the Company, shareholders, employees, customers and suppliers. GUC's proprietary information protection is carried out based on the management cycle of Plan-Do-Check-Act (PDCA), which continuously strengthens the ability to protect proprietary information, and enhances personnel's correct concept about and vigilance over proprietary information protection, thereby reducing the risk of proprietary information leakage.GUC has also formulated management measures to incorporate information security and ethical management within employee performance evaluations.
2.1 Inspections are conducted on a quarterly basis to ensure the implementation of the Company's proprietary information protection measures.
2.2 Raise the awareness of proprietary information and the rules to follow through everyday work and various occasions.
2.3 Conduct educational training to improve employees' information security awareness and capability. In addition to listing proprietary information control as a mandatory topic for new employees’ training, all employees should also be re-trained twice every year to continuously strengthen and enhance their information security awareness.
PIP training |
2021 |
2022 |
2023 |
Total number of employees in the prevailing year |
757 |
759 |
819 |
Ratio of employees who completed the training |
100% |
100% |
100% |
2.4 Regarding PIP violations, management measures have been formulated, and reporting mechanisms have been established to assess responsibility and administer penalties.Relevant punishments and required corrections have been made in accordance with the cause of the violation and the degree of the impact, and dissemination as well as educational training has continued. The PIP violations occurring over the years are listed as follows:
The total number of violations resulting from employee’s failure to comply with the proprietary information protection procedure in 2023 accounts for 0.122% of the number of employees.
PIP violation condition |
2021 |
2022 |
2023 |
Number of violations by colleagues |
6 |
1 |
1 |
Number of violations by outsourcing suppliers |
0 |
0 |
0 |
IV. Security risk management framework countermeasures
1. Information security defense capability reinforcement and maturity evaluation:
Conduct regular information security tests for system strengthening, and continue the implementation of business continuity drills. Develop cybersecurity incident response plans, and take corresponding reporting and recovery actions. Carry out risk analysis based on objective verification results and threats information concluded by third-party agencies to upgrade and strengthen the information security management systems.
The frequency of External Vulnerability Scan has been increased from once per week to currently once per day. Any high-risk vulnerability being identified can be fixed at once.
To further reinforce its anti-hacking capabilities, the Company engaged a locally-renowned white hat hacker team to simulate offensive and defensive assessments with a Red Team. Apart from taking the initiative to understand hacker’s thinking and strengthening employees’ anti-hacking awareness, such experience has been used to continue to improve the intranet automatic joint defense system.
2. Information security management procedures upgrade:
GUC has been ISO 27001 certified, and is improving through annual reviews. GUC continued to pass the 2nd review of ISO 27001 for 2022, whereas, to respond to the criteria of ISO/IEC 27001:2022 officially published by the International Organization for Standardization (ISO) on October 25, 2022, GUC has prepared for its ISMS version transfer and is expected to finish the new version authentication operation in 2024. GUC continued to pass the 2nd review of ISO 27001 for 2023, whereas, to respond to the criteria of ISO/IEC 27001:2022 officially published by the International Organization for Standardization (ISO) on October 25, 2022, GUC has prepared for its ISMS version transfer and is expected to finish the new version authentication operation in Oct 2024.
3. Risk management
The major risks concluded from the analysis of various possible combinations of threats and weaknesses assessed in annual risk assessments are as follows:
3.1 Fraudsters use fake emails to trick company’s employees into sending money or making transactions.
3.2Those who commit industrial espionage or a company’s competitors use hacking techniques to continuously hack into the company’s internal hosts and steal the company’s internal information.
3.3 Crime groups work with hackers to distribute contents with malicious links through emails, text messages, social software, and communication software. A victim's computer data may be encrypted and kidnapped, and a high ransom will then be asked for the recovery.
3.4 Hackers launch a large number of connection requests through the Internet, interrupting the normal operations of a company's network.
3.5 Internal employees use illegal software, or copy the company's confidential and sensitive information to portable storage devices, which may lead to information leakage if the devices are lost, stolen or sold.
3.6 Information software/hardware may be damaged due to natural or man-made disasters, resulting in service interruption or data loss.
3.7 The evaluation suggests that likely losses resulting from the overall information security risk is still low and falls within the range of self-protection. The results of annual evaluations are also reported to the Board of Directors.
3.8 Currently no Information Security Insurance has been taken out; however, for the above-mentioned risk concerns, several measures such as the application of information security management principles, introduction of technological solutions, and reinforcement of information security educational training are concurrently employed to establish fortified information security management mechanisms. The key measures are as follows:
(3.8.1) Perform regular internal/external audits, pass and maintain ISO 27001: 2013 certification , and upgrade the operations of information security management systems.
(3.8.2) Two social engineering attack simulation exercises are conducted every year. Employees who fail an exercise or who fail two consecutive exercises are required to then attend information security reinforcement training. Such training enhances employees’ sense of alertness against email fraud.
social engineering attack simulation |
2021 |
2022 |
2023 |
Total number of employees in the prevailing year |
757 |
759 |
819 |
Ratio of employees who completed the simulation |
100% |
100% |
100% |
(3.8.3) Install antivirus and EDR (Endpoint Detection and Response) protection systems on the client side to provide real-time anomaly detection and alerting as well as forensic analysis and endpoint recovery functions. Block USB storage device connection and stop users from installing software. Moreover, provide Backup File Server for users to back up important data.
(3.8.4) With respect to the network layer, incorporate the use of firewalls to control network traffic and applications. Develop a security monitoring and management mechanism for intranet protection and database access.
(3.8.5) Employ the DRM (Digital Right Management) confidential and sensitive document management system and disk encryption technologies to protect the confidentiality of documents.
(3.8.6) Adopt mail filtering and auditing systems and Anti-APT solutions to reduce the risks arising from email usage.
(3.8.7) Introduce fingerprint identification systems and swipe-card systems in gateway management to meet the physical security requirements of two-factor authentication.
(3.8.8) Centralize the management of hosts and establish environmental control and alarm mechanisms for the data center. Perform regular data backups and carry out emergency recovery drills on a yearly basis.
(3.8.9) The multi-factor authentication mechanism has been compulsorily used for the remote access, so as to reduce the risk of password theft and credential stuffing attack. In addition, full video-taping has also been made to effectively record the use behavior and establish the audit track.
3.9 An important information system’s disaster recovery drill has been performed twice per year to ensure timely response when system abnormalities occur, reduce system downtime, and lower the impact on the company’s operations.
3.9 An important information system’s disaster recovery drill has been performed twice per year to ensure timely response when system abnormalities occur, reduce system downtime, and lower the impact on the company’s operations.
3.10 The Red Team Assessment was conducted in 2022 to simulate an invasion attack while not affecting the company’s operations so as to authenticate information security detection and response abilities and grasp the potential risk condition. The eight information security leaks found in the assessment have all been promptly improved upon and protection measures have been adopted.
3.11 The responsible persons of respective information systems have been weekly convened to discuss current week’s information security incidents and adopt required protection measures.
4. Training
The Information Security Department also conducts Information Security Awareness-raising Educational Training for all employees on a quarterly basis. The topics are determined based on the encountered internal/external threats. The topic for each quarter of 2023 is listed as follows:
2023 Information Security Awareness-raising Educational Training |
|
Quarter |
Topic |
Quarter 1 |
Did you know that browser extensions can spy on personal data? |
Quarter 2 |
Business Email Compromise scams |
Quarter 3 |
Watch out for fake ChatGPT apps |
Quarter 4 |
QR Code phishing attacks |
V. Resources invested in information security
The Company keeps investing resources in information security related fields. Resources being invested in improving the fundamental structure for governance and technology, strengthening the equipment for information security defense, information/data monitoring and analysis, incident response drills, educational training, etc. to comprehensively enhance the information security capabilities.
VI. Incidents
A specific information security reporting and handling process has been established to report and handle information security incidents. Information security incidents are accepted and graded by the reporting point of contact of the information unit. If the incident is a major information security incident, it will be reported to the risk management panel, and the information unit shall eliminate and solve the incident within the scheduled time limit, and conduct a root cause analysis and adopt remedy measures after the incident is fully handled, so as to prevent a repeat occurrence.
Cyber security incidents |
2021 |
2022 |
2023 |
Material cyber security incidents |
1 |
0 |
0 |
Number of data leaks |
0 |
0 |
0 |
Number of employee and customer’s personal information leaks |
0 |
0 |
0 |
Amount of penalties resulting from information security incidents |
0 |
0 |
0 |
So far in 2023, we have not suffered any losses due to major security incidents.