Back

In order to ensure that proprietary company information, related trade secrets, and personal data are properly protected, and to continue strengthening information security protection, compliance with domestic, foreign, and international laws and regulations, in addition to international information security standards, is required for information operations.

GUC ISO 27001 Certification

 

Information Security Management Framework

Proprietary Information Protection Committee:
Composed of representatives of all departments, and responsible for discussion, establishment, audit, and promotion of the company's proprietary information control operations. Quarterly meetings are held with related discussions and related operations are promoted, including:

  • Quarterly inspections to ensure the implementation of confidential information protection measures
  • Guidance on information security concepts and compliance matters through daily work and various occasions
  • Employee education and training to improve information security awareness and ability. In addition to a required training course on proprietary information control for new recruits, all employees must undergo annual retraining in order to continuously strengthen and enhance their awareness of information security.

 

Personal Data Protection Committee:

In order to enable the company to protect and manage personal data, reduce operational risks, and comply with relevant international data protection regulations, a data protection committee was established to actively promote operations related to data protection, including:

  • Formulating protection measures and implementing actions
  • Evaluating data risks and establishing management mechanisms
  • Establishing incident prevention, notification, and response measures
  • Advocating for awareness and completing training
  • Establishing audit mechanisms to supervise and continuously improve data protection

 

GUC Organization Chart: Board > CEO > 1. Proprietary Information Protection Committee > Senior VP+ Department representatives 2. Personal Data Protection Committee > Senior VP+ Legal/HR/Audit/IT representatives

 

 

Information Security Protection

Our information security protection measures include the following:

 

Type Description Mechanisms
Account and password protection Stronger personal passwords and mandatory changes to protect account security and avoid misappropriation Mandatory password quality, regular password change, and two-factor authentication mechanisms
Personnel account permission management Effective control over user accounts and permissions, removing unnecessary accounts and authorizations, and regularly reviewing related system usage permissions Automatic daily checks of abnormal accounts Regular review of account permissions Regular review of system usage permissions
Access control Access to related information systems is controlled, and usage records are effectively recorded and reviewed Regular review of access records Regular review of remote access records
Network control Avoiding invalid access and controlling access to prevent interactive attacks/infections Equipment network control Network partition and parallel access control

Vulnerability prevention

 Identifying potential system weaknesses and vulnerabilities and adopting prevention and response measures Regular system vulnerability scans and updates
Regular anti-virus scans
Email sandboxes and isolation of phishing emails
A decoy system linked to the internal firewall
Instant identification of possible intruders

System availability

 Ensuring system availability and reliability, and reducing abnormal interruptions and their impact on the company Regular system exception drills
Strong system backups

Leak prevention

 Preventing leakage of proprietary information Regular review of outgoing emails
Usage record reviews for high-risk personnel
Irregular spot-checks for proprietary information checking mechanisms

 

Internal management and IT systems to protect proprietary information:

Hacking ➔ WAN

  • Regular vulnerability scans and intrusion detection systems
  • Multiple intranet firewalls
  • Switch port isolation
  • Reverse phishing bait system
  • Email sandbox

Illegal External Computer ➔ LAN

  • The system actively blocks unauthorized devices from accessing the intranet

Server

  • Mandatory passwords and two-factor authentication to prevent unauthorized access
  • Regular permission and access records to ensure the validity of account permissions

End Point

  • Mobile storage media actively blocked from accessing company computers
  • Company computers use hardware locks to prevent private HDD access
  • The Portable Router system automatically blocks company computers from connecting to non-company network routers
     

Information Security Incident Notification Procedure:

Disclosure and handling of information security incidents are carried out in compliance with the following procedures.

  1. Information security incidents directly reported by members of the Proprietary Information Protection Committee or found by colleagues are reported to the members or complaint box

  2. An investigation team composed of members of the Confidential Information Protection Committee and the personnel department investigates and confirms violations, and issues improvement measures and violation handling reports

  3. They follow-up with and check the parties to improve the situation, and request that their supervisor fulfill their responsibility of supervision.

  4. Discipline is exercised as necessary after approval by the responsible supervisor

  5. Violation records are reported to the Proprietary Information Protection Committee

  6. If the circumstances are serious, affecting the company’s competitiveness or financial status, immediate measures must be taken to minimize the damage