Information Security Management

Information Security Policy

Rapid adoption of digital technologies at ASEH is driving an increased need to strengthen the protection of information assets. To that end, ASEH’s Information SecurityPolicy is designed to safeguard the confidentiality and maintain the integrity and availability of all information assets in accordance with applicable laws and regulationsthat will result in increasing customer confidence, raising the company’s competitiveness and preventing operational disruptions. Information security risks are assessedin accordance with applicable laws and regulations, and operational objectives, and reported to senior management and the Board of Directors on a regular basis to helpset guidelines, strategies and targets.

Information Security Management Targets

As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we regularly implemented the NIST CSF maturity assessment in all facilities every year. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.

Information Security Assessment and Maturity

Information Security Certification

To build corporate resilience and protect company assets, ASEH adopts internationally recognized information security standards that allow the company to improve network protection, establish effective management and control mechanisms for smart manufacturing and enhance our competitiveness.International information security certification

Cybersecurity Maturity

To further strengthen ASEH’s cybersecurity and bolster the defences at all ASEH sites, we began the phase of adopting the NIST Cybersecurity Framework (CSF) in 2019.The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into 5 core functions - Identify, Protect, Detect, Respond, and Recover. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We constantly benchmark ourselves against the semiconductor industry to better understand our own cyber maturity level. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. We continued the maturity level assess mentin 2022 and focused on consolidating the cybersecurity management status, progress, strategy updates etc. from all subsidiaries based on the NIST CSF’s five core functions. Driven by digital transformation trends, ASEH is cognizant of the convergence between IT and OT. In particular, the breadth of horizontal implementation is extended from IT to OT, aiming to bring the maturity level of OT closer to that of IT. With that, we are adopting a strategic approach that will gradually enhance the cybersecurity defense capabilities of critical operational systems throughout the company.

Information Security Implementation and Safeguards

Cybersecurity Risk Identification and Management

On an annual basis, ASEH commissions a third-party company to conduct regular cybersecurity audit and assessments such as external audit, vulnerability scanning, and penetration testing to ensure that our information systems and the network comply with safety standards. We strictly enforce cybersecurity policies and implement customer privacy protection measures to avoid the unauthorized disclosure of the company’s confidential business information and customer data. In the event of unforeseen cyberattacks, the cybersecurity team will convene immediate technical exchanges and tactical meetings to analyze and review relevant responses and defense measures, constructing a comprehensive and synchronized defense network.

In addition to continuous improvement in our IT management, we are also gradually transferring our IT cybersecurity experiences to operational technology and initiating phased planning and implementation of cybersecurity assessments in the OT domain. Through assessments and testing conducted by external experts, potential cybersecurity threats and risks in the OT environment can be reduced. OT cybersecurity assessments were completed at 4 four facility sites in 2022.

In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy, cybersecurity management framework, cybersecurity control measures, etc. In 2022, a total of 53,991 individuals completed 40,019 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. We will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meetings, educational trainings, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Monitoring and audits are conducted as an extension of our scope of management, and compliance is integrated into employee KPI to avoid penalties and legal liabilities, and impacts on business operations.

Increasing Cyber Resilience

There were no serious cybersecurity incidents in ASEH in the past three years. In addition to constructing a cybersecurity incident classification system and reporting/response procedures, we also conduct a cybersecurity incident drill annually to ensure fast responses in the event of incidents, reduce risks, and minimize the scope of damage. We also established the ASEH Information Security Management System incorporating cybersecurity information and cybersecurity incident reporting, to facilitate real-time acquisition, dissemination of cybersecurity information, and efficient handling of incident reporting. Our goal is to gain a comprehensive understanding of the risk landscape, enhance the response and defense capabilities, and establish a cross-functional collaborative defense mechanism. ASEH has also purchased cybersecurity insurance as a backup, enabling us to take immediate measures, reduce potential losses to the company, customers, and suppliers and restore normal business operations quickly.

We conduct an incident recovery drill every six months. The drill covers the organizational structure, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel, implementation steps and processes of the drill, required resources, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, and ensure uninterrupted operation of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.

Information Security Information Exchange

ASEH maintains close communication with government authorities, domestic and international information security organizations and platforms. We have also contributed significantly to the drafting of SEMI E187 - Specification for Cybersecurity of Fab Equipment, Taiwan's first semiconductor wafer equipment information security standard. As we advance into industry 4.0, our competitive edge is built upon a robust and effective information security management framework that will safeguard the company’s interests and that of our business partners and stakeholders.

Supply Chain Cybersecurity Management

The digitization of the supply chain and the exchange of large volumes of data, have increased cybersecurity risks along the supply chain. In 2022, ASEH established theSupplier Cybersecurity Assessment System, which primarily focuses on critical suppliers and follows a four-step process –current situation, guidance for improvement, results confirmation, and follow-up evaluation. A total of 77 supplier cybersecurity assessments were conducted in the year, following. The scope of assessments will be gradually expanded and follow-up evaluations conducted every three years. We aim to construct a comprehensive cybersecurity management mechanism that provides stability for business operations, strengthens cybersecurity resilience, and raises the cybersecurity standards of the semiconductor industry.

Outcomes of Cybersecurity Measures in 2022