The ASEH Information Security Management Committee was established by the ASEH Board of Directors’ Corporate Sustainability Committee (CSC) to ensure corporate governance in response to the company’s acceleration towards smart manufacturing. The Committee is dedicated to enhancing information security, preventing and mitigating information security threats and risks by developing strategic plans for information security, establishing benchmarks for information security maturity assessments, promoting information security risk management in ASEH subsidiaries, and coordinating internal and external technologies, resources and information. The ASEH Information Security Management Committee is headed by the chief information security officer, who is responsible for establishing the information security management framework, regular reviews of all ASEH subsidiaries’ information security management and incident response plans, and the submission of the information security governance report to the Board of Directors in the last quarter of each fiscal year. ASEH is committed to corporate sustainability and has formulated its Information Security Policy https://www.aseglobal.com/en/pdf/2020_ASETH_ISMP_EN.pdf as the foundation on which its corporate management practices are built to ensure the security of the information assets of the company, employees and suppliers.
As a multi-international company with leading edge IC assembly, testing and material technologies, it is especially important for ASEH to adopt a highly integrative, compatible and flexible information security maturity assessment model. In addition to our major subsidiaries - ASE Kaohsiung and Universal Scientific Industrial, obtaining the ISMS (information security management systems) ISO 27001 certification, ASEH adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) maturity assessment tool. The NIST CSF combines a competency model with global open standards to create a risk-based management framework for continuous assessment of and improvements to an organization’s information security. The framework organizes its core into five functions - Identify, Protect, Detect, Respond and Recover, which are used to assess the organization’s information security maturity, promote comprehensive planning for internet security and execute regular improvement plans.
The NIST CSF’s five major functions are broken down into 23 categories and 108 subcategories. Based on these categories, ASEH designed an assessment table that cross-references the company’s attributes, technologies, cyber- attacks and cyber-threats, to conduct comprehensive assessments of major subsidiaries’ performance. ASEH also carried out industry benchmarking on information security maturity, and integrated information security legal compliance into its supply chain security management, internal information protection and control, and the group’s auditing system.
To ensure business continuity in the company’s operations and business activities, ASEH conducts an annual disaster recovery drill to mitigate the risk of service disruptions caused by impacts from major crisis events to the company’s information systems. The drill plan includes the task team organization chart, scope, time, critical information systems, participating departments, participating personnel and their tasks, recovery personnel, steps and procedures, resources required, risk management, and post-drill review and improvements. The drill prepares the company for prompt disaster response to ensure the continuous operation of information systems in times of crisis. To ensure that appropriate management procedures will be observed by employees in the event of an emergency, ASEH has established procedures for the reporting and handling of information security incidents. The procedures allow employees to report any security incidents to ensure prompt handling, followed by efficient responses that will mitigate information security risks. ASEH has had no major information security incidents in the past three years. To maintain its information security capabilities and performance, the company commissions a third- party auditor to conduct an annual audit and review of its information security performance, during which a vulnerability scan and penetration test are performed to ensure that the company’s information systems and network environment are compliant with the code of practice for information security management. ASEH protects its trade secrets and client data through strict enforcement of its information security policy and client privacy protection measures. In the event of a sudden external cyber-attack, representatives of ASEH subsidiaries immediately convene to exchange technical information, update and discuss responses and countermeasures. External experts on information security are also invited to these meetings to conduct reviews and analyses. This proactive approach, coupled with the prompt analysis and handling of information security incidents, form a comprehensive information security safety net.
In addition to mitigating the company’s operational risks from a corporate governance standpoint, raising our employees’ information security awareness and enhancing the company’s operational capabilities play a major part in ASEH’s information security management policies. All ASEH employees participate in the company’s annual Proprietary Information Protection (PIP) training course, which involves training on information security policy, management framework, and control measures. In 2019, 47,959 employees participated in the PIP training course for a total of 32,428 training hours. Employees who violate the company’s information security policy are subject to a set of information security disciplinary procedures that also takes into account the employee’s performance. The preceding measures reduce the exposure of the company to potential penalties and legal liabilities, and lessen impacts on its business operations. ASEH is committed to enhancing its information security technologies and capabilities, and spares no effort in the training of information security personnel and establishing back-ups. Through the deployment of information security regulations and standards, we aim to continue the integration of our management systems and technology, and to foster the comprehensive development and improvements of our information security management. In parallel, by assuring our supply chain partners and stakeholders of the robustness of ASEH’s information security infrastructure, we are helping to ensure that the company's future and competitive edge are secured in the era of smart manufacturing.