Fortifying Digital Resilience
In response to the growing cyber security threats around the globe, FENC established the Information Security Management System (ISMS) to achieve the information security objectives and minimize impacts brought by information security incidents.
While the arrival of the digital age ushered in growing complexity and sophistication in business activities, it also ushered in threats to information security. Upholding sustainable competitiveness amid capricious times is now a critical issue upon which corporations ponder. Driven by the urgency of information security management, FENC established the Information Security Department in 2022 based on the Regulations Governing Establishment of Internal Control Systems by Public Companies and Information Security Control Guidelines for TWSE/TPEx Listed Companies. Headed by the Chief Information Security Officer, the department oversees the implementation of information security tasks to demonstrate FENC’s determination to defend corporate information security.
Information Security Department
On November 9, 2022, the Board approved the establishment of the Information Security Department to spearhead the implementation of information security tasks, such as indicator setting, performance tracking and information security protection and training, working in tandem with the Information and Technology Center on information security management.
Information Security Management Framework
Information Security Joint Defense Team and Committee
To implement and bolster information security, FENC established the Information Security Joint Defense Team and Committee. While the Information Security Department is in charge of the implementation and monitoring of information security as well as applications of new technology, an information security defense team is established under each unit to reinforce the defense shield. Units with such a team in place include the Corporate Staff Office as well as the Human Resources, Accounting, Finance, Legal, Secretarial, Shipping, Labor Safety and Health Departments under Corporate Management. Information security staff from each unit provide assistance in implementing information security tasks, creating an integrated inter-departmental shield against cyber threats. The Audit Department conducts internal audits over information security undertakings to ensure compliance with the internal control system as well as governmental regulations. The Information and Technology Center is in charge of the maintenance and repair of the information security facilities.
Information Security Management System and Business Continuity Management
FENC started incorporating the ISO 27001 information security management system (ISMS) in 2014, establishing protocols regarding the management of information authorization, data backup, system development, supplier management and intellectual property. Since 2016, FENC has been third-party verified every three years. The latest verification for ISO 27001:2013 was obtained in September 2022. The verification will remain effective until September 2025, while FENC continues to implement the PDCA management for its information security systems.
Additionally, FENC has been implementing the ISO 22301 business continuity management system to fortify its crisis response and ensure business continuity, advancing digital resilience through risk assessment, crisis management and resource allocation. In December 2023, FENC’s subsidiary, Shanghai Far Eastern IT Corp., obtained the ISO 22301:2019 certification, which is valid until December 2026. Obtaining the certification requires the integration of the ISMS and business continuity management to create a comprehensive security and operational shield, which is a testament to FENC’s commitment to business continuity and information security.
Strengthen Information Security Management
1. Establish Information Security SOP
FENC joined Taiwan CERT/CSIRT Alliance (see note1) and established the SOP for dealing with information security incidents. The SOP delineates applicable procedures and measures, including reporting proceedings and staff accountability. The goal is to eliminate information security incidents within the least amount of time and establish correction and prevention plans accordingly. In 2023, there were no major information security incidents (see note2) at FENC and no financial losses caused by information security incidents.
Note:
1. CERT/CSIRT refers to Computer Emergency Response Team (CERT) and Computer Security Incident Response Team (CSRIT).
2. A major information security incident refers to an incident that results in damages exceeding NT$100 billion for FENC.
2. Implement Information Security Incident Reporting and Handling
Services for the monitoring and surveillance of information security incidents have been incorporated to consolidate security logs from multiple sources, including the firewall, intrusion-detection system, anti-virus software system and end-point detection and response. The incidents are detected, collected, analyzed and managed to effectively avert potential cybersecurity threats. Information concerning data security is consolidated and managed to effectively provide alerts before, real-time warnings during and analysis after the incident. The services ensure a proper protocol to be followed in the case of such incidents and minimize the harm and damages to the key information systems, assets and operations.
3. Strengthen Information Security Management and Training
In addition to promoting information security and providing training among staff, system developers and managers are required to comply with rules and regulations governing system establishment and safety management. FENC aims to heighten information security awareness to minimize risks.
4. Ensure the Effectiveness of Information Security Protection
To prevent cyber threats, the network infrastructure adopts a multi-layered design armed with a multitude of information security protection systems as well as threat detection and response mechanisms. The design facilitates intelligence sharing, vertical communication as well as report and monitoring to build robust information security governance and reduce risks.
Supply Chain Information Security Management
To strengthen resilience in supply chain information security and construct a safe and reliable defense network, FENC created the FENC Supplier Information Security Agreement based on the Information Security Control Guidelines for TWSE/TPEx Listed Companies. The Company also performed a stocktake for its core systems and designed a rating matrix, classifying suppliers’ information security maturity base on the management, defense, detection and response capabilities as a reference for supplier management. Information security incidents occurring at the supplier’s end would immediately activate FENC’s information security defense mechanism, which would then monitor the entire incident.