I. Information Security Governance System, Goals and Strategies

GUC's vision is to build a mature and effective network of defenses, gradually improving its overall protection based on a foundation of consistent governance, in order to become a leader in security. The Information Security Department coordinates information security and compliance systems to promote related implementation to continuously improve information security awareness and skills. We identify information security risks and vulnerabilities through technology, build sound governance and comprehensive security capabilities to effectively reinforce them, and cultivate security awareness.

 

II. Security Policy Implementation

1. We establish information security management specifications that comply with regulations and customer needs
2. We reach consensus on information security protection and full implementation through awareness by all staff
3. We protect the confidentiality, integrity, availability and legal compliance of al company and customer information

 

III. Security Organizations

1. Security Committee
The Security Committee is responsible for implementing the security management plan, and establishing and maintaining security management systems. The information security supervisor supervises the implementation of the company's security operations and the effectiveness of risk management mechanisms, and regularly reports the overall implementation results of security management operations and systems to the Board of Directors. A Security Representative Meeting is held on an annual basis to review the security development plan and implementation results, disclosing relevant security policies and key points of implementation.

2. Proprietary Information Protection (PIP) Committee
PIP Committee: Composed of representatives designated by the heads of all departments; responsible for research, establishment, audit and promotion of PIP controls.

GUC has a commitment to its customers, shareholders and staff to protect confidential information. With an understanding that Proprietary Information Protection (PIP) relates to the company's current and future competitive advantages, GUC formulated a PIP policy to specify management procedures and rules for protection of confidential company information, helping properly control its business secrets and related undisclosed information to ensure the best interests of the company, shareholders, employees, customers and suppliers. GUC uses a Plan-Do-Check-Act (PDCA) management cycle for PIP, continuously strengthening its confidential information protection ability, and improving the staff's concepts of PIP and vigilance to reduce the risk of information leakage.

2.1 Quarterly audits are carried to ensure the implementation of the PIP measures.
2.2 GUC promotes the concept of proprietary information and compliance through daily work and various occasions. 
2.3 We have implemented employee education and training to improve employee security awareness and capabilities. In addition to including content related to PIP as a mandatory training course for new recruits, all employees must undergo recurrent training every year in order to continuously strengthen and enhance their security awareness.
 

IV. Security risk management framework countermeasures

1. Strengthen security capabilities and maturity assessment:
We regularly test and strengthen the information security system, and continue to conduct continuous operations and contingency drills. We established an incident response plan and take corresponding notification and recovery actions. At the same time, we carry out risk analysis through results and threat information verified by third parties to further strengthen security management.

The frequency of external vulnerability scans has been increased from monthly to weekly. Any high-risk vulnerabilities found are patched within a week. The execution results are as follows.
Vulnerabilities discovered
Headquarters
Branch offices


2. Advanced security procedures:
GUC complies with the ISO 27001 international certification standards related to information security, and makes continuous improvements through annual reviews.


 

3. Risk management
The main items analyzed through the annual risk assessments, selected from all possible combinations of threats and vulnerabilities, include:

3.1 Fraud groups use fake emails to trick employees into sending money or making company transactions.
3.2 Commercial espionage, or competitors use hacking to penetrate internal hosts and steal internal information.
3.3 Criminal groups work with hackers to distribute content through malicious links in emails, text messages, social media, and communication platforms and encrypt the data on the victim's computer, demanding a ransom.
3.4 Attackers launch a large number of online connection requests, disrupting the normal operation of the company's network.
3.5 Employees use illegal software or copy the company's sensitive internal data to portable storage devices, resulting in leakage due to loss, theft or sale.
3.6 Natural or man-made disasters damage software or hardware, resulting in service interruption or data loss.
3.7 We currently do not have security insurance. In the absence of insurance, our multi-pronged approach to improve information security management for the above risks using security management principles, technological solutions and information security education and training include the following key measures:

3.7.1 Regular internal and external audits. We have passed and maintain ISO 27001:2013 certification, and have improved our information security operations.
3.7.2 Regular social engineering attack simulation exercises, as well as security education and training to enhance employee awareness of email protection.
3.7.3 Client-side antivirus software and Endpoint Detection and Response (EDR) protection systems perform real-time anomaly detection and alerting, forensic analysis, and endpoint repair. We block connections of USB storage devices, as well as automatic software installation. Backup servers store important information.
3.7.4 The network layer uses a firewall to control network traffic and applications. We use a security monitoring and management mechanism for intranet protection and database access.
3.7.5 Document confidentiality is ensured using a Digital Rights Management (DRM) system and disk encryption.
3.7.6 Email filtering and auditing systems and Anti-APT software reduce the risks from email usage.
3.7.7 Fingerprint identification and card swiping systems for gate management to meet the physical security requirements of two-factor authentication.
3.7.8 Our systems are further reinforced through centralized host management, environmental control and alarm mechanisms in the computer room, regular data backup, and annual disaster recovery drills.

4. Training
The Security Department also conducts quarterly information security training for all staff. The theme is planned according to the current internal and external threat situation. The themes of each quarter in 2021 were as follows:
 

2021 Monthly Security Training Program
Quarter Theme
Q1 Identification of malicious websites
Q2 Malware prevention and home office security
Q3 Prevention of social engineering attacks & phishing tests
Q4 PIP regulations for email

 

V. Resources invested in information security

We have continued to invest in information security to comprehensively improve our capabilities. In 2021, our investments increased by 190% compared with 2020. The investments included governance and technology infrastructure improvements, security equipment, intelligence monitoring and analysis, and incident response drills and training.

 

VI. Incidents

Notification and handling procedures for security incidents are clearly defined. Incidents are recorded by the information unit notification window and an event level is set. The risk management team is notified of major incidents. We eliminate and resolve incidents within the target processing time, and complete root cause analysis and take corrective measures after handling to prevent recurrence.

So far in 2021, we have not suffered any losses due to major security incidents.