Information Security Management

Information Security Policy, Organization and Targets

Rapid adoption of digital technologies at ASEH is driving an increased need to strengthen the protection of information assets. To that end, ASEH’s Information Security Policy is designed to safeguard the confidentiality and maintain the integrity and availability of all information assets in accordance with applicable laws and regulations that will result in increasing customer confidence, raising the company’s competitiveness and preventing operational disruptions. Information security risks are assessed in accordance with applicable laws and regulations, and operational objectives, and reported to senior management and the Board of Directors on a regular basis to help set guidelines, strategies and targets.

The Information Security Management Committee, responsible for overall information security across all subsidiaries, was established by the CSC to develop strategic plans, establish benchmarks for information security maturity assessments and coordinate all internal and external technical resources and information. Richard H.P. Chang, Vice Chairman of ASEH has been appointed the chair of the committee. The committee’s Chief Information Security Officer assumes responsibility for the establishment of the information security management framework that includes regular reviews with all ASEH subsidiaries and implementing incident response plans.

The Chief Information Security Officer (CISO) of the Information Security Management Committee, who is also the Group Chief Administration Officer and Corporate Governance Officer of the Company, assumes responsibility for the establishment of the information security management framework that includes regular reviews with all subsidiaries of ASEH and implementing incident response plans. The committee provides a status report to the Board of Directors in the last quarter of each fiscal year. In addition, the Executive Secretariat of the Company's Corporate CSR Division is responsible for promoting and executing information security-related work, and each subsidiary appoints its information security team as members of the committee to be responsible for implementing information security operations as resolved by the Information Security Management Committee. We regularly hold quarterly meetings of the Information Security Management Committee of ASEH to report and discuss the progress of our information security work, and invite external experts to share information security trends and significant issues.

As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we regularly implemented the NIST CSF maturity assessment in all facilities every year. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.

ASEH Information Security Policy. For more details, please refer:

ASE Technology Holding Co., Ltd. Cybersecurity Policy

Information Security Assessment and Maturity*

Facility	Management System	Issue Date	Valid Until
ASE Kaohsiung	ISO 27001:2013	2020/4/14	2023/4/13
ASE Chungli	ISO 27001:2013	2020/11/20	2023/11/19
ASE Shanghai (Material)	ISO 27001:2013	2022/7/4	2025/7/3
SPIL Da Fong	ISO 27001:2013	2020/12/4	2023/12/3
SPIL Chung Shan	ISO 27001:2013	2020/12/4	2023/12/3
SPIL Zhong Ke	ISO 27001:2013	2020/12/4	2023/12/3
SPIL Hsinchu	ISO 27001:2013	2020/12/4	2023/12/3
SPIL Changhua	ISO 27001:2013	2020/12/4	2023/12/3
USI Nantou	ISO 27001:2013	2020/6/2	2023/6/1
USI Zhangjiang	ISO 27001:2013	2020/6/2	2023/6/1
USI Kunshan	ISO 27001:2013	2020/6/2	2023/6/1
USI Jinqiao	ISO 27001:2013	2020/6/2	2023/6/1
USI Shenzhen	ISO 27001:2013	2020/6/2	2023/6/1
USI Mexico	ISO 27001:2013	2020/6/2	2023/6/1

As a multi-national company with leading edge IC assembly, testing and material technologies, it is critical for ASEH to adopt a highly integrative, compatible and flexible information security maturity assessment model, especially for the availability of continuous assessment to effectively capture the trends of strategy adjustment and strengthening of the organization's overall information security defense system in each year. Since 2019, ASEH, working with external consultants, has formally adopted the NIST CSF maturity assessment mechanism, with the first targets of benchmarking against the semiconductor industry standards and having a better understanding of its own conditions. The target going forward is to refine and enhance various information security requirements year by year. ASEH and its facilities tailor the improvements of their own information security system according to the results and recommendations from the maturity assessments. The Company may also use the maturity assessment results to understand the corresponding information security risks of different regions, countries, or operations. ASEH takes a step further to consolidate its resources and guidance so as to implement and continuously strengthen the foundation of overall corporate information security management.

The NIST CSF combines industry standards and best practices to create a management framework for organizations to manage their cybersecurity risks.

The framework applies five key functions - identify, protect, detect, respond and recover, to assess an organization’s information security maturity for the purpose of establishing an information security management cycle through comprehensive cybersecurity planning and executing regular improvement plans.

ASEH adopts internationally recognized information security standards to continuously evaluate and improve workflows and management measures. ASE Kaohsiung, ASE Chungli, SPIL and USI have each obtained the ISMS (information security management systems) ISO 27001 certification. ASE Kaohsiung and SPIL have also successively obtained the BCMS (business continuity management system) ISO22301 certification to strengthen crisis management and disaster response. ASEH will continue to adopt efficient, risk-based and systematic approaches to build a comprehensive information security management system. In addition, with the advent of 5G, Internet of Things, and the global smart car era, ASE Kaohsiung has been facing the accelerating digital transition and is the first semiconductor assembly and testing facility in the world to receive the ISO/SAE 21434 international automotive network security standard certification with 100% compliance by being certified by TUV NORD of Germany. Moreover, it passed the mobile communication security certification standard and obtained the GSMA certification. As a manufacturer, it completed a comprehensive audit of the production sites and processes to comply with the UICC production safety standard (GSMA SAS-UP), in order to continuously improve the overall information security protection network as well as management and control mechanism, and to establish an information security management system with comprehensive sustainability mindset and strategy.

Information Security Implementation and Safeguards

Under the trend of promoting digital transition, ASEH continues to refine information technology (IT) and gradually transfer information security-related experience to operational technology (OT). The Company has further begun to plan and execute OT information security checks in phases in an attempt to minimize potential threats and risks in OT information security environment through external expert inspection and testing., and as part of the company’s business continuity management, ASEH conducts two disaster recovery drills per year to assure that the organization can effectively respond to an actual disaster and minimize the impact on business operations.

The elements of the drill plan include the drill organization chart, scope, timing, critical information systems, participating departments, participating personnel and roles, recovery personnel, steps and procedures, resources, risk management, and post-mortem. Drill plans prepare the company to promptly respond to emergencies and reinstate information systems to normal or acceptable levels, ensuring the effectiveness of the recovery mechanism.

ASEH has had no major information security incidents over the past three years. Besides formulating the relevant procedures concerning information security incident levels, timely reporting and response, as well as executing an annual information security incident drill, through relevant management mechanisms, we are capable of handling information security incidents in a timely manner, reducing risks, minimizing the scope of damage, and planning for automatic and immediate access to and transmission of information security information, aiming to enhance the overall response and protection capability of information security as well as establish a horizontal joint prevention mechanism regarding the information security. Meanwhile, in response to the serious challenges posed by information security risks to enterprises, ASEH takes risk management as a starting point and information security insurance as a back-end protection method, which covers investment holding companies and any affiliated companies, expecting to respond to and control the impact of hacking in the event of an information security incident and minimize possible information security losses to itself, its customers and suppliers through insurance with quick resumption to normal business operations.

In the event of a cyber-attack, the information security management team will immediately trigger the exchange of technical information and synchronize updates and responses through a extensive information sharing network. All ASEH employees participate in the company’s annual Proprietary Information Protection (PIP) training course which covers information security policy, management framework and control measures. In 2021, 62,195 employees attended the PIP training course clocking in a total of 46,547 training hours. We have also conducted social engineering email drills to strengthen employee awareness and deployed a mechanism that integrates relevant information security areas like participation, education and training, abnormal incident management, confidentiality classification and antivirus/software security as part of employees’ KPI performance. The wide scope of coverage across all organizational levels reduces the company’s exposure to potential penalties and legal liabilities and lessens impacts on business operations.

ASEH is committed to enhancing its information security technologies and capabilities as well as investing in the training of information security talent. In addition to focusing on information security technologies and capabilities of the semiconductor industry and high-tech manufacturing, in 2021, ASE Technology Holding maintained close communication with government authorities, domestic and international information security organizations and platforms, while joining the SEMI to jointly develop and launch the SEMI E187 - Specification for Cybersecurity of Fab Equipment, Taiwan's first semiconductor wafer equipment information security standard.

As we advance our operations into industry 4.0, our competitive edge comes from recognizing the importance of establishing a robust information security management framework that will safeguard the company’s interest and that of our business partners and stakeholders.

pic-information-security-management-5 — SEMI Semiconductor Wafer Equipment Information Security Standard Released