While the arrival of the digital age ushered in growing complexity and sophistication in business activities, it also ushered in threats to information security. Upholding sustainable competitiveness amid capricious times is now a critical issue upon which corporations ponder. Driven by the urgency of information security management, FENC established the Information Security Department in 2022 based on the Regulations Governing Establishment of Internal Control Systems by Public Companies and Information Security Control Guidelines for TWSE/TPEx Listed Companies. Headed by the Chief Information Security Officer, the department oversees the implementation of information security tasks to demonstrate FENC’s determination to defend corporate information security.

Building a Resilient Information Security Organization

1.Information Security Department

On November 9, 2022, the Board approved the establishment of the Information Security Department to spearhead the implementation of information security tasks, such as indicator setting, performance tracking and information security protection and training, working in tandem with the Information and Technology Center on information security management.

Information Security Management Framework
 

 

2.Information Security Joint Defense Team and Committee

To implement and bolster information security, FENC established the Information Security Joint Defense Team and Committee. While the Information Security Department is in charge of the implementation and monitoring of information security as well as applications of new technology, an information security defense team is established under each unit to reinforce the defense shield. Units with such a team in place include the Corporate Staff Office as well as the Human Resources, Accounting, Finance, Legal, Secretarial, Shipping, Labor Safety and Health Departments under Corporate Management. Information security staff from each unit provide assistance in implementing information security tasks, creating an integrated interdepartmental shield against cyber threats. The Audit Department conducts internal audits over information security undertakings to ensure compliance with the internal control system as well as governmental regulations. The Information and Technology Center is in charge of the maintenance and repair of the information security facilities.

3.Establishing Information Security Sub-Committee of Far Eastern Group

In December 2023, FENC formed the Information Security Sub-Committee (ISSC) with multiple affiliates under Far Eastern Group (FEG), including Far EasTone Telecommunications Co. Ltd., Asia Cement Corporation and Far Eastern International Bank. Initiating its operation in 2024, ISSC is tasked with coordinating the joint defense of information security and resource allocation within FEG. ISSC also improves the overall defense by leveraging synergistic effects through policy exchanges, emergency support, incorporation of technologies and equipment as well as talent development.
 

Strengthening Information Security Management Mechanisms

1.Information Security Management System and Business Continuity Management

FENC started incorporating the ISO 27001 information security management system (ISMS) in 2014, establishing protocols regarding the management of information authorization, data backup, system development, supplier management and intellectual property. Since 2016, FENC has been third-party verified every three years. The latest verification for ISO 27001:2013 was obtained in September 2022. The verification will remain effective until September 2025. Given the rapid evolvement in the cybersecurity landscape, FENC stays vigilant and aligns with the latest international standards. In July 2024, the Company moved ahead of the schedule and fully transitioned to the latest ISO/IEC 27001:2022 certification, demonstrating its conviction to safeguard information security. The Company also continues implementing the Plan-Do-Check-Act (PDCA) cycle for information security management while learning and adopting the NIST Cybersecurity Framework to strengthen network security.

Additionally, FENC has been implementing the ISO 22301 business continuity management system. In December 2023, FENC’s subsidiary, Shanghai Far Eastern IT Company, obtained the ISO 22301:2019 certification, which is valid until December 2026. Obtaining the certification requires the integration of the ISMS and business continuity management to create a comprehensive security and operational shield, which is a testament to FENC’s commitment to business continuity and information security.

2.Establish Information Security SOP

FENC joined Taiwan CERT/CSIRT Alliance (see note1), SP-ISAC and Taiwan Chief Information Security Officer Alliance, and established the SOP for dealing with information security incidents. The SOP delineates applicable procedures and measures, including reporting proceedings and staff accountability. The goal is to eliminate information security incidents within the least amount of time and establish correction and prevention plans accordingly. In 2024, there were no major information security incidents (see note2) at FENC and no financial losses caused by information security incidents.

Note 1:CERT/CSIRT refers to Computer Emergency Response Team (CERT) and Computer Security Incident Response Team (CSRIT). SP-ISAC refers to Science Park Information Sharing and Analysis Center.
Note 2: A material information security incident is defined based on the frequently asked questions regarding the Taiwan Stock Exchange Corporation Procedures for Verification and Disclosure of Material Information of Companies with Listed Securities.

3.Implement Information Security Incident Reporting and Handling

Services for the monitoring and surveillance of information security incidents have been incorporated to consolidate security logs from multiple sources, including the firewall, intrusion-detection system, anti-virus software system and end-point detection and response. The incidents are detected, collected, analyzed and managed to effectively avert potential cybersecurity threats. Information concerning data security is consolidated and managed to effectively provide alerts before, real-time warnings during and analysis after the incident. The services ensure a proper protocol to be followed in the case of such incidents and minimize the harm and damages to the key information systems, assets and operations.

4.Implementing Supply Chain Information Security Management

To strengthen the resilience of supply chain information security and construct a safe and reliable defense network, FENC created the FENC Supplier Information Security Agreement based on the Information Security Control Guidelines for TWSE/TPEx Listed Companies. The Company also performed a stocktake for its core systems and designed a rating matrix, classifying suppliers’ information security maturity according to the management, defense, detection and response capabilities as a reference for supplier management. Information security incidents occurring at the supplier’s end would immediately activate FENC’s information security defense mechanism, which would then monitor the entire incident

Information Security Management and Training 

1.Information Security Training

FENC places high emphasis on information security training. While the training heightens employee awareness, the system developers and managers are also required to adhere to the standards governing system establishment and security management to reduce cybersecurity risks. In 2024, the designated information security units at FENC held eight training sessions with the aim to increase the awareness and hone risk response capabilities among all employees. A total of 1,074 participants took advantage of the training through diverse channels, including in-class, online streaming and digital sessions. The training is customized based on duties and business needs, offering content and case studies on cloud service security management, information security risks for emerging technologies, IoT information security control as well as information security risks at the operational level. The training has helped employees stay vigilant when it comes to information security.  

2.Social Engineering Drills

As a measure to enhance employees’ ability to safeguard information security, FENC conducted phishing drills for nearly 200 employees in 2024. The drills simulate actual network attacks to enhance risk response towards social engineering threats. The majority of the participating employees stayed alert towards the phishing emails and did not respond. However, a few did click on the link and provided personal information. Enhanced training was provided to improve their information security awareness.