Information Security Policy
1. Purpose
To strengthen information security management and ensure the confidentiality, integrity, and availability of the company’s information assets, thereby providing a secure information environment for continuous business operations. This policy also ensures compliance with relevant government regulations and the requirements of internal and external stakeholders, preventing any intentional or accidental threats from internal or external sources, and achieving the objectives of information security.
2. Scope
To strengthen information security management and ensure the confidentiality, integrity, and availability of the company’s information assets, thereby providing a secure information environment for continuous business operations. This policy also ensures compliance with relevant government regulations and the requirements of internal and external stakeholders, preventing any intentional or accidental threats from internal or external sources, and achieving the objectives of information security.
2. Scope
2.1 Applicable to security management operations for the company’s information assets, systems, and services, covering confidentiality, integrity, and availability.
2.2 Applicable to all company employees, information service providers, and third-party personnel.
2.3 The company shall maintain the effectiveness of the Information Security Management System (ISMS) and uphold a commitment to continuous improvement.
2.2 Applicable to all company employees, information service providers, and third-party personnel.
2.3 The company shall maintain the effectiveness of the Information Security Management System (ISMS) and uphold a commitment to continuous improvement.
3. Definitions
Information Assets: Hardware, software, services, documents, and personnel required to maintain the normal operation of the company’s information business.
Confidentiality: Ensuring that only authorized users can access information.
Integrity: Ensuring the accuracy and completeness of information and its processing, without alteration or tampering.
Availability: Ensuring that authorized users can obtain information and related assets in a timely manner when needed.
Information Environment for Continuous Business Operations: Refers to the computer operating environment required to maintain the normal operation of the company’s various business activities.
Company Information Security Policy
「Information Security, The Invisible Shield of Chip Design」
Strengthen the company’s information security management by establishing the concept of “Information Security, The Invisible Shield of Chip Design,” ensuring the confidentiality, integrity, and availability of customer and employee data processing. The company is committed to securing all stages of data handling and providing safe, stable, and efficient information services.
4. Specific Policies
4.1 Access Control
4.1.1 Restrict access to information and information processing facilities.
4.1.2 Ensure authorized users can access systems and services while preventing unauthorized access.
4.1.3 Require users to be responsible for safeguarding their authentication information.
4.1.4 Prevent unauthorized access to systems and applications.
4.1.2 Ensure authorized users can access systems and services while preventing unauthorized access.
4.1.3 Require users to be responsible for safeguarding their authentication information.
4.1.4 Prevent unauthorized access to systems and applications.
4.2 Physical and Environmental Security
4.2.1 Prevent unauthorized physical access, damage, and interference to organizational information and information processing facilities.
4.2.2 Prevent loss, damage, theft, or compromise of assets and avoid disruption of organizational operations.
4.2.2 Prevent loss, damage, theft, or compromise of assets and avoid disruption of organizational operations.
4.3 Asset Management
4.3.1 Identify organizational assets and define appropriate protection responsibilities.
4.3.2 Ensure all assets are protected at an appropriate level according to their importance to the organization
4.3.3 Prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.
4.3.2 Ensure all assets are protected at an appropriate level according to their importance to the organization
4.3.3 Prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.
4.4 Data Transmission
4.4.1 Ensure traceability and non-repudiation of data transmission.
4.4.2 Maintain the reliability and availability of transmission operations
4.4.3 Apply tamper-evident or tamper-resistant controls for physical transmission.
4.4.4 Use only approved electronic transmission media for data transfer; do not use illegal or inappropriate media for convenience.
4.4.5 Do not disclose confidential or sensitive information to other organizations or individuals through any transmission medium, including data transfer, messaging, speech, or video.
4.4.6 Internal information websites must grant appropriate access rights based on responsibilities and job requirements to control document access.
4.4.2 Maintain the reliability and availability of transmission operations
4.4.3 Apply tamper-evident or tamper-resistant controls for physical transmission.
4.4.4 Use only approved electronic transmission media for data transfer; do not use illegal or inappropriate media for convenience.
4.4.5 Do not disclose confidential or sensitive information to other organizations or individuals through any transmission medium, including data transfer, messaging, speech, or video.
4.4.6 Internal information websites must grant appropriate access rights based on responsibilities and job requirements to control document access.
4.5 Security Configuration and Handling of Endpoint Devices
4.5.1 Distribute and retrieve user endpoint devices.
4.5.2 Control software installation on user endpoint devices.
4.5.3 Perform security updates on user endpoint devices.
4.5.4 Ensure endpoint devices are accessed through login procedures.
4.5.5 Prevent malware threats to user endpoint devices.
4.5.6 Restrict the use of personal devices.
4.5.2 Control software installation on user endpoint devices.
4.5.3 Perform security updates on user endpoint devices.
4.5.4 Ensure endpoint devices are accessed through login procedures.
4.5.5 Prevent malware threats to user endpoint devices.
4.5.6 Restrict the use of personal devices.
4.6 Network Security
4.6.1 Network users, once authorized, may only access network resources within their authorized scope.
4.6.2 Properly control computer connection lines used for network systems to reduce the risk of unauthorized system access or compromise of computer facilities.
4.6.3 Network segmentation planning must comply with internal and external network physical segregation requirements, and personal wireless devices must not compromise the security mechanisms of such segregation.
4.6.4 Unauthorized use of wireless networks and private wired devices for network connections is strictly prohibited.
4.6.2 Properly control computer connection lines used for network systems to reduce the risk of unauthorized system access or compromise of computer facilities.
4.6.3 Network segmentation planning must comply with internal and external network physical segregation requirements, and personal wireless devices must not compromise the security mechanisms of such segregation.
4.6.4 Unauthorized use of wireless networks and private wired devices for network connections is strictly prohibited.
4.7 Information Security Incident Management
4.7.1 Ensure consistent and effective management of information security incidents, including communication of security events and vulnerabilities.
4.7.2 Establish a comprehensive incident reporting system.
4.7.2 Establish a comprehensive incident reporting system.
4.8 Information Backup
4.8.1 Define backup cycles, methods, and retention periods based on availability and integrity requirements, and test their effectiveness.
4.8.2 Protect backup data according to confidentiality requirements to prevent additional security incidents.
4.8.2 Protect backup data according to confidentiality requirements to prevent additional security incidents.
4.9 Cryptography
4.9.1 Implement encryption mechanisms based on legal requirements, customer demands, and information asset risk assessments.
4.9.2 Control key lifecycle operations, including generation, distribution, activation, storage, update, revocation, archival, and destruction.
4.9.2 Control key lifecycle operations, including generation, distribution, activation, storage, update, revocation, archival, and destruction.
4.10 Information Classification and Handling
4.10.1 Ensure information labeling covers all formats and related assets.
4.10.2 Ensure personnel and relevant stakeholders are aware of labeling requirements.
4.10.3 Provide necessary awareness training to ensure proper labeling and handling of information.
4.10.2 Ensure personnel and relevant stakeholders are aware of labeling requirements.
4.10.3 Provide necessary awareness training to ensure proper labeling and handling of information.
4.11 Technical Vulnerability Management
4.11.1 Define and establish roles and responsibilities related to technical vulnerability management.
4.11.2 Detect vulnerabilities in information assets.
4.11.3 Manage software updates to ensure all authorized software is patched and updated with approved versions.
4.11.4 Use vulnerability scanning tools appropriate for the technologies in use to identify vulnerabilities and verify the success of vulnerability remediation.
4.11.2 Detect vulnerabilities in information assets.
4.11.3 Manage software updates to ensure all authorized software is patched and updated with approved versions.
4.11.4 Use vulnerability scanning tools appropriate for the technologies in use to identify vulnerabilities and verify the success of vulnerability remediation.
5. Statement of Applicability
In accordance with the requirements of ISO/IEC 27001 Information Security Management System, produce a written Statement of Applicability listing whether each control measure specified in the standard applies to the organization’s information assets, along with reasons for any exclusions. When organizational structure, personnel, equipment, or physical environment changes, the Information Security Management Committee shall redefine the applicability of control measures.
6. Implementation
This policy shall be implemented upon approval by the Chairperson and shall follow the same procedure for any revisions.