NANPAO Information Security Risk Management

Information Security Risk Management

Information Communication Security Management Strategy and Framework

1.  Information Communication Security Risk Management Framework

(1) Information Security Governance Organization

In 2021, our company established the "Information Security Committee," responsible for executing information operation security management planning, establishing and maintaining an information security management system, coordinating the formulation and implementation of information security and protection policies, as well as conducting risk management and compliance audits.

The Information Security Committee is chaired by the CEO, with Mr. Guo Peiyi, the Associate Manager of the Information Department, serving as the Chief Information Security Officer and Executive Secretary. The committee includes senior executives from various functional units within the company, including the Next Generation Business Division, Footwear Business Division, Coating Business Division, Operations Management Division, Financial Management Division, Research and Innovation Division, Human Resources Department, Information Department, Legal Department, and Audit Office.

Additionally, we have established the "Information Security Audit Team" and the "Information Security Execution Team," responsible for planning and auditing information security and physical security matters within the company. These teams play a leading role in the operation of the committee.

(2) Information Security Organization Structure

 

2.     Information Security Policy

Our company's information security policy extends to both the company and its subsidiaries worldwide, guided by the following principles:

(a)Strengthen information security management to ensure the confidentiality, integrity, and availability of owned information assets.

(b)Provide an information environment that ensures the continuous operation of the company's information business.

(c) Comply with relevant regulations to protect against intentional or accidental threats from internal and external sources.

The company has implemented and established a comprehensive Information Security Management System (ISMS) that addresses system, technical, and procedural aspects to mitigate cybersecurity threats. This initiative aims to create an information security environment that aligns with customer requirements. The company consistently engages in the Plan-Do-Check-Act (PDCA) management cycle for continuous improvement.

  • Planning Phase : Emphasis is placed on information security risk management. The company introduced ISO 27001 Information Security Management System certification in 2022 to enhance information security. This certification ensures that information systems operate under standardized management practices, reducing security vulnerabilities and production abnormalities resulting from human errors. Annual reviews are conducted to continuously improve the system.
  • Do Phase : The Company constructs a multi-layered information security protection mechanism and continuously integrates new risk management technologies. This is done to enhance the efficiency of detecting and responding to various information security incidents. The company also reinforces information security and network protection processes to safeguard critical assets.
  • Check Phase : Regular monitoring of information security management indicators is conducted, and an annual third-party review and audit of the management system are performed. Additionally, the company commissions a cybersecurity vendor to conduct host vulnerability scans to ensure the continual enhancement of information security management and defense capabilities.
  • Action Phase : Regular reviews and continuous improvement efforts are implemented. Violations of information security regulations and procedures by employees and contractors lead to appropriate disciplinary actions. Ongoing education and training for all personnel are conducted to enhance overall awareness of information security.

 

3. Specific management plan

(1)Multilayer Information Security Protection

To achieve information security policies and objectives, the company has established an "Information Security Protection Map" that adopts proactive information security strengthening measures. This includes the implementation of next-generation firewalls, intrusion prevention systems, malicious email filtering, operating system updates, deployment of antivirus software, encryption of confidential documents, and endpoint device connection control as part of its security defense mechanisms.

The company has created a network segmentation mechanism by establishing a layered defense structure. Different network services for various purposes are isolated independently. The security defenses are regularly updated, and operating systems, as well as application vulnerabilities, are patched on a routine basis. Special attention is given to implementing offsite backups for critical data files to prevent comprehensive damage in the event of external network attacks infiltrating the company's internal systems.

 

Information Security Protection Map 

 

Multilayer Information Security Protection

 

 

(2) Review and Continuous Improvement

Through our internal risk management mechanism, we assess information system-related risks and regularly report risk control and improvement status at management meetings to control and reduce associated network risks.

Each year, we conduct information security education and training courses to enhance employees' awareness of information security. Additionally, we periodically disseminate information security policies and knowledge through email and host special topic sessions during weekly meetings to reduce the risk of employees mistakenly clicking on malicious emails. We also regularly update and patch operating systems and application vulnerabilities and ensure the proper off-site backup of important data files.

4. Allocation of Resources for Information Security Management

l  Information Security Certification: In June 2022, the company successfully obtained ISO27001 Information Security Certification, and a follow-up review was conducted throughout 2023 with no significant security audit findings.

l  Education and Training: In 2023, all 27 new headquarters employees completed a 1-hour information security pre-employment training course. Additionally, the group conducted five social engineering phishing email tests in November, involving a total of 500 participants.

l  Security Awareness: Bi-monthly email announcements of information security policies were made. On September 27, 2023, a special seminar on "Insight into Internal Information Security Risks" was arranged during the weekly meeting to communicate important regulations and precautions regarding information security.

l  Customer Satisfaction: No complaints were received in 2023 regarding the loss of customer data.

 

n The establishment and implementation of the 2023 information security risk management framework have been reported to the board of directors on December 10, 2023.

 

Information security incident management

2023

Total number of information security incidents

0

Number of information security incidents affecting customers’ personal information

0

Total number of customers affected by information security incidents

0

Total amount of fines related to information security incidents

0

Investors

Search


Join Nanpao