Information Security

Information Security

Information Security Organization

SAS established its Information Security Committee in March 2023. The committee members are comprised of the highest-ranking information or information security officers from the company’s subsidiaries. Since its inception, the committee has convened biannually, but starting from December 2024, meetings will be held quarterly. The committee aims to coordinate the formulation, implementation, risk management, and compliance of policies related to information security.

 

To integrate information security management policies and risk management into daily operations, SAS also requires each subsidiary within the group to establish its own Information Security Task Force. Members of these task forces are representatives from various departments, who discuss and communicate information security matters relevant to their departmental operations during meetings. They are responsible for implementing the information security policies and practices set forth by the Information Security Committee.

 

Additionally, SAS incorporates information security into performance evaluations. The Information Security Office at SAS headquarters tracks the performance indicators of information security implementation at all group locations on a monthly basis. Based on operational needs, it provides information security goals, improvement guidelines, and necessary resource support to help achieve the group’s overall information security objectives. Departments are also required to implement the resolutions of the Information Security Committee, share experiences in improving information security, establish a group-wide joint defense mechanism, and enhance the overall information security framework.

Information Security Governance and Continuous Improvement

SAS has established an information security policy and information security management procedures, utilizing the PDCA (Plan, Do, Check, Act) cycle to ensure the achievement of established goals and continuous improvement.

 

Security Testing

Data Protection Measures

Personnel Management

Network Security Protection

Security testing is regularly implemented, including host vulnerability scanning and system updates.

Data protection measures. Regular backups and proper storage, management of external information storage media, minimization of access privileges, account and password complexity restrictions, etc.

Regular training for employees, periodic information security awareness campaigns, supplier access management, and regular social engineering drills.

Firewall rule reviews, secure remote connections, realtime monitoring of traffic and anomalies, and regular operational continuity drills. 

Information security knowledge and awareness training

✓ In 2024, the information security personnel completed 40 hours of professional training courses. 

✓ All employees have received regular information security awareness courses.

✓ Joins the Taiwan Cyber Risk Management and Coordination Center (TWCERT/CC) and the Taiwan Science Park Information Security Information Sharing and Analysis Center (SP-ISAC) to exchange information security emerging trends and current affairs, such as DDoS attacks, ransomware, social media Engineering software, website citations, and loopholes.

✓ Through annual exchanges with renowned cybersecurity vendors and projectbased collaborations, SAS focuses on cybersecurity issues and plans response strategies. The company conducts DDoS and APT attack-defense drills for different cybersecurity scenarios to enhance the response capabilities of its personnel, aiming for immediate detection and blocking of threats.

ISO 27001 Certification

SAS implement Information security management system (ISO 27001). We actively enforce to improve the performance of ISMS to ensure the effectiveness management system of ISMS.