Information Security Management
Information Security Policy, Organization and Targets
Rapid adoption of digital technologies at ASEH is driving an increased need to strengthen the protection of information assets. To that end, ASEH’s Information Security Policy is designed to safeguard the confidentiality and maintain the integrity and availability of all information assets in accordance with applicable laws and regulations that will result in increasing customer confidence, raising the company’s competitiveness and preventing operational disruptions. Information security risks are assessed in accordance with applicable laws and regulations, and operational objectives, and reported to senior management and the Board of Directors on a regular basis to help set guidelines, strategies and targets.
The Information Security Management Committee, responsible for overall information security across all subsidiaries, was established by the CSC (Corporate Sustainability Committee) to develop strategic plans, establish benchmarks for information security maturity assessments and coordinate all internal and external technical resources and information. Richard H.P. Chang, Vice Chairman of ASEH has been appointed the chair of the committee. The committee’s Chief Information Security Officer assumes responsibility for the establishment of the information security management framework that includes regular reviews with all ASEH subsidiaries and implementing incident response plans. The committee provides a status report to the Board of Directors in the last quarter of each fiscal year.
As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we implemented the NIST CSF maturity assessment in all facilities in 2019. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.
ASEH Information Security Policy. For more details, please refer:
Information Security Assessment and Maturity
As a multi-national company with leading edge IC assembly, testing and material technologies, it is critical for ASEH to adopt a highly integrative, compatible and flexible information security maturity assessment model. In 2019, ASEH, working with external consultants, formally adopted the NIST CSF maturity assessment tool, with the first year’s target of benchmarking against the semiconductor industry standards. The target for 2020 was set to refine and enhance various information security requirements. ASEH and its facilities tailor the improvements of their own information security system according to the results and recommendations from the maturity assessments. ASEH takes a step further to adjust its resources and guidance by studying the information security risks of different regions, countries and operations. The NIST CSF combines industry standards and best practices to create a management framework for organizations to manage their cybersecurity risks. The framework applies five key functions - identify, protect, detect, respond and recover, to assess an organization’s information security maturity for the purpose of establishing an information security management cycle through comprehensive cybersecurity planning and executing regular improvement plans.
ASEH adopts internationally recognized information security standards to continuously evaluate and improve workflows and management measures. ASE Kaohsiung, ASE ChungLi, SPIL and Universal Scientific Industrial have each obtained the ISMS (information security management systems) ISO 27001 certification. ASE Kaohsiung and SPIL have also successively obtained the BCMS (business continuity management system) ISO22301 certification to strengthen crisis management and disaster response. ASEH will continue to adopt efficient, risk-based and systematic approaches to build a comprehensive information security management system.
Information Security Implementation and Safeguards
As part of the company’s business continuity management, ASEH conducts two disaster recovery drills per year to assure that the organization can effectively respond to an actual disaster and minimize the impact on business operations. The elements of the drill plan include the drill organization chart, scope, timing, critical information systems, participating departments, participating personnel and roles, recovery personnel, steps and procedures, resources, risk management, and post-mortem. Drill plans prepare the company to promptly respond to emergencies and reinstate information systems to normal or acceptable levels, ensuring the effectiveness of the recovery mechanism. ASEH has had no major information security incidents in the past three years. Besides formulating relevant procedures for the timely reporting and handling of information security incidents and to lower the scope of damage, we commissioned a third-party auditor to conduct annual audits and reviews of our information security performance. The audits help to ensure that the company’s information systems and network environment are compliant with the information security management standards. The strict enforcement of information security and privacy policies provide an effective layer of security to safeguard trade secrets and protect customer data. In the event of a cyber-attack, the information security management team will immediately trigger the exchange of technical information and synchronize updates and responses through a extensive information sharing network.
All ASEH employees participate in the company’s annual Proprietary Information Protection (PIP) training course which covers information security policy, management framework and control measures. In 2020, 44,419 employees attended the PIP training course clocking in a total of 32,568 training hours. We have also conducted social engineering email drills to strengthen employee awareness and deployed a mechanism that integrates relevant information security areas like participation, education and training, abnormal incident management, confidentiality classification and antivirus/software security as part of employees’ KPI performance. The wide scope of coverage across all organizational levels reduces the company’s exposure to potential penalties and legal liabilities and lessens impacts on business operations.
ASEH is committed to enhancing its information security technologies and capabilities as well as investing in the training of information security talent. Over the course of 2020, we maintained close communication with government agencies and local/international information security organizations to keep up with the latest trends, regulations and standards to strengthen and improve our information security management. As we advance our operations into industry 4.0, our competitive edge comes from recognizing the importance of establishing a robust information security management framework that will safeguard the company’s interest and that of our business partners and stakeholders.