While the arrival of the digital age ushered in growing complexity and sophistication in business activities, it also ushered in threats to information security. Upholding sustainable competitiveness amid capricious times is now a critical issue upon which corporations ponder. Driven by the urgency of information security management, FENC established the Information Security Department in 2022 based on Regulations Governing Establishment of Internal Control Systems by Public Companies and Information Security Control Guidelines for TWSE/TPEx Listed Companies. Headed by the Chief Information Security Officer, which is selected among executives at the vice-president level, the department oversees the implementation of information security tasks to demonstrate FENC’s determination to defend corporate information security.

Information Security Department 

On November 9, 2022, the Board of Directors at FENC approved the establishment of Information Security Department and the appointment of Alan Tsai, Executive Vice President of Corporate Management, as the Chief Information Security Officer. The department is in charge of the implementation of information security tasks, such as the establishment and tracking of indicators for information security performance, protection of information security and conducting related training. The department works in conjunction with the Information and Technology Center to manage corporate information security.

Information Security Joint Defense Team and Committee

To implement and bolster information security, FENC established the Information Security Joint Defense Team and Committee. While the Information Security Department is in charge of the implementation and monitoring of information security as well as applications of new technology, an information security defense team is established under each unit to reinforce the defense shield. Units with such a team in place include the Corporate Staff Office as well as the Human Resources, Accounting, Finance, Legal, Secretarial, Shipping, Labor Safety and Health Departments under Corporate Management. Information security staff from each unit provide assistance in implementing information security tasks, creating an integrated inter-departmental shield against cyber threats. The Audit Department conducts internal audits over information security undertakings to ensure compliance with the internal control system as well as governmental regulations. The Information and Technology Center is in charge of the maintenance and repair of the information security facilities. 

 

Establish and Comply with ISMS

FENC started incorporating the ISO 27001 information security management system in 2014, establishing protocols regarding the management of information authorization, data backup, system development, supplier management and intellectual property. Since 2016, FENC has been third-party verified every three years. The latest verification on ISO 27001:2013 was obtained in September 2022 and it will remain effective until September 2025. FENC continues to implement the Plan-Do-Check-Act (PDCA) management for the ISMS.

Establish Information Security SOP

FENC joined Taiwan CERT/CSIRT Alliance (see note) and established the SOP for dealing with information security incidents. The SOP delineates applicable procedures and measures, including reporting proceedings and staff accountability. The goal is to eliminate information security incidents within the least amount of time and establish correction and prevention plans accordingly. In 2022, there were no major information security incidents at FENC and no financial losses caused by information security incidents.

Note: CERT/CSIRT refers to Computer Emergency Response Team (CERT) and Computer Security Incident Response Team (CSRIT).

Implement Information Security Incident Reporting and Handling

Services for the monitoring and surveillance of information security incidents have been incorporated to consolidate security logs from multiple sources, including the firewall, intrusion-detection system, anti-virus software system and end-point detection and response. The incidents are detected, collected, analyzed and managed to effectively avert potential cybersecurity threats. Information concerning data security is consolidated and managed to effectively provide alerts before, real-time warnings during and analysis after the incident. The services ensure a proper protocol to be followed in the case of such incidents and minimize the harm and damages to the key information systems, assets and operations.

Strengthen Information Security Management and Training

In addition to promoting information security and providing training among staff, system developers and managers are required to comply with rules and regulations governing system establishment and safety management. FENC aims to heighten information security awareness to minimize risks.

Ensure the Effectiveness of Information Security Protection

To prevent cyber threats, the network infrastructure adopts a multi-layered design armed with a multitude of information security protection systems as well as threat detection and response mechanisms. The design facilitates intelligence sharing, vertical communication as well as report and monitoring to build robust information security governance and reduce risks.

Information Security Management Framework