NANPAO Information Security Risk Management

Information Security Risk Management

Information Communication Security Management Strategy and Framework

(1)Information Communication Security Risk Management Framework

    a.Information Security Governance Organization

The company established an "Information Security Committee" in 2021 to coordinate the formulation and implementation of information security and protection related policies. The convener of the Information Security Committee reports to the board of directors on the effectiveness of information security management, information security related issues and directions.

In order to implement the information security policy set by the Information Security Committee and ensure internal compliance with relevant information security standards, procedures and regulations, the chief executive officer will serve as the convener, the top supervisor of the information unit will concurrently serve as the chief information security officer and executive secretary, and the top supervisor of each functional unit Serving as a committee member should convene at least one meeting every year, and may convene at any time as needed to review and decide on information security and information protection guidelines and policies, and implement the effectiveness of information security management measures.


    b.Information Security Organization Structure



(2)Information Security Policy

    a.Information Security Management Strategy and Framework

In order to effectively implement information security management, the Information Security Committee uses the "information protection work promotion team" covering the Taiwan plant and overseas subsidiaries to implement Plan-Do-Check-Act (PDCA). Manage the circulation mechanism, review the applicability of the information security policy and protection measures, and ensure the achievement of the reliability target and continuous improvement.

Continue to introduce innovative technologies for information security defense, integrate and internalize the information security control mechanism into the daily operation process, systematically monitor information security, and maintain the confidentiality, integrity and availability of important assets to ensure the integration of information systems and equipment networks. Safe maintenance and sustainable operation.


    b.Specific management plan

<Multilayer Information Security Protection>

Establish an "information security protection map" to take active information security enhancement operations, through the introduction of next-generation firewalls, intrusion prevention systems, malicious mail filtering, operating system updates, anti-virus software deployment, confidential file encryption, and endpoint device connection control and other security defenses Mechanism, establish a layered network blocking mechanism, and separate and independent network services based on different uses to prevent external network attacks from intruding into the company's interior and causing overall harm.


Information Security Protection Map



<Review and Continuous Improvement>

Through the internal risk management mechanism, assess the related risks of the information system, and regularly report the risk control and improvement status at the operation management meeting to control and reduce the related network risks.

Conduct various simulation tests in the computer room and regular emergency response exercises every year, so that the information system can resume normal operation in the shortest time when the information system is attacked. Through various information security education and training courses, in addition to enhancing the information security awareness of colleagues, it is also irregular E-mails are used to promote information security risks and information security knowledge to reduce the risk of employees clicking malicious emails by mistake.


    c.Invest in resources for information security management

The company is committed to continuously promoting the implementation of information security management. In 2021, it has purchased information equipment and invested relevant manpower. It also plans to complete the ISO27001 certification in June 2022. 


  • The establishment and implementation of the 2021 information security risk management framework have been reported to the board of directors on December 22, 2021.