Information Security Management

Information Security Management

Information Security Management

Information Security Management Framework

 

Information Security Organizational Structure

Inventec is led by the Chief Information Security Officer and is in charge of the information security management departments at the headquarters and each factory. The information security organization personnel are in charge as follows.

  • Chief Information Security Officer: Responsible for promoting information security policies and resource allocation, reporting to the President.

  • Head of Information Security Department at Headquarters:Responsible for planning and managing the group's information security system, reporting to the Chief Information Security Officer.

  • Staff in the Information Security Department at Headquarters: Responsible for the execution, protection and monitoring of the group's information security business.

  • Head of Information Security Department at Site: .Responsible for planning and managing the information security system at the site, reporting to the Chief Information Security Officer.

  • Staff in the Information Security Department at Site: Responsible for executing, protecting, and monitoring information security operations at the site.

 

2023 Information Security Status 

Goals

2023 Achievement

To mitigate the impact of unexpected events on the Company’s operations by conducting Business Continuity Planning (BCP) drills.

Conducted 11 drills.

To Enhance the capability to respond to information security incidents by planning security incident reporting drills.

Conducted 1 drill.

To conduct vulnerability scanning on the Company’s critical hosts quarterly.

High-risk critical vulnerabilities patched rate is 100%.

For computers with detected virus infections exceeding 30, issue incident tickets for resolution.

No instances of failure to issue tickets.

Information Security Management Measures

Information security management and audit mechanism
  • In accordance with ISO 27001 International Information Security Management Standards, Inventec has formulated its information security policy. Taking into account local regulations and business norms, each factory follows the information security policy and sets the goals to ensure customers’ requirements for information security are met.

  • Based on the information security goals, each unit carries out relevant management measures. The information security policy and suitability of the goals are reviewed annually to ensure that the company's system and network operations achieve confidentiality, integrity and accessibility.

  • Pursuant to the “Annual Internal Audit Plan” approved by the Board of Directors, Inventec conducts information security audit project on a regular basis to oversee the risk assessment and planning of the Information Security Management System (ISMS) as well as the implementation of the information security policy. The audit results will be reported to the Board of Directors.

Strengthening employee awareness of information security
  • Every year, all colleagues are required to sign the acknowledgement form of “Employee Code of Conduct”, which includes information security protection measures, and information security announcements are issued timely to remind employees to be vigilant about information security risks.

  • Information security training sessions are held regularly to update Inventec’s information security management regulations, cultivate a strong sense of information security among employees, and ensure full compliance with relevant information security regulations.

  • Information security education and training are conducted for general employees, providing them with the latest information security cases and popular information to improve their information security literacy.

Cyber security
  • Adoption of next-generation firewalls to reinforce the network boundary and safeguard against external threats.

  • Establishing a dual-layer defense architecture to effectively segment the network for production lines, client endpoints, and data center servers and enhance the depth of security protection.

  • Promoting Network Access Control (NAC) to manage access, identify internal devices and check their security compliance before connecting to the intranet.

  • Importing the bastion host or jump host to unify the host connection portal, reducing the risk of infiltration.

Information security
  • Establishing a document confidentiality classification system and strengthening the access control mechanism for personal data.

  • Using encryption software to protect confidential data and reduce the risk of leakage.

  • Performing system backups on a regular basis to minimize the cost of data loss.

Information security monitoring
  • Introducing an Advanced Persistent Threat (APT) protection scheme to enhance APT attack protection and monitoring, safeguarding Inventec’s information security against malware and hacker attacks.

  • Monitoring virus detection in all factories across the globe, carrying out necessary protective measures as well as virus containment management, tracking the cause of virus contact with computers in each area, and confirming that the viruses have been eradicated.

Endpoint security
  • All computers within the domain are required to install antivirus software, with weekly antivirus scans scheduled.

  • Remote connections require two-factor authentication, and computer connections within the domain are restricted.

  • Email protection mechanism is activated to filter out malicious attachments and phishing links, preventing social engineering attacks by hackers.

  • Employees are required to use legitimate software to avoid causing harm to the company.

Information security drills and tests
  • Performing data backups and restoration drills on a regularly basis to validate the effectiveness of the backup mechanism.

  • In order to ensure uninterrupted operations, we conduct drills for abnormal system operations, cyber attacks, virus infections, data center fires, and other information security incidents, aiming to minimize losses caused by accidents.

Indicator measurement and rating
  • We are audited annually by our customers, internal auditors and external third parties on information security.

  • In accordance with information security framework and control items of ISO 27001, the inspection is conducted with a total of 14 control categories.

Awareness Training and Advocacy

Through the information security section on our internal website, we announce and promote information security policies. We also timely distribute email security announcements to remind colleagues of information security risks. Each year, employees are required to sign the "Employee Code of Conduct", which includes provisions for information security compliance. We regularly plan different educational training and promotional content for various audiences to enhance their awareness of information security, aiming to improve the information security awareness of both our employees and our suppliers. In addition, we hold periodic social engineering drills to enhance colleagues' awareness of information security. Colleagues who do not pass the tests are retrained and retested. In 2023, a total of 15 social engineering drills were conducted, with 38,216 emails sent out. The pass rate for the tests was 97%.

 

Obtaining Third-Party Certification

Inventec strives to promote ISO 27001 International Information Security Certification. Through the audit and verification of external third-party organizations, Inventec’s operation procedures and specifications for information security are validated to meet international standards and customers’ expectations. Currently, we have obtained ISO 27001 International Information Security Management Standard Certificates for our headquarters in Shilin, Taoyuan factory, Shanghai Pudong factory, Chongqing factory, Czech factory, and Mexico factory. For more details, please refer to  Certifications and Certificates

 

Security Testing

Every year, Inventec undergoes information security audits from customers, internal self-inspections, and external third parties. These audits are conducted in accordance with information security frameworks and controls such as ISO 27001. In 2023, the third-party information security testing platform conducted threat detection and vulnerability detection, with a score of 90.

Incident Response Process

 

 

Information Security Incidents

Item

202320222021
Infringement of customer privacy or loss of customer information (number of cases)

0

00
Significant information security incidents and losses (amount)

0

00
Report download
SDGs