Data Privacy and Security

1. Control access and permissions to information systems based on usage responsibilities
2. Clarify the duties and responsibilities of administrators, users, and system administrators, as well as user etiquette when using the information system
3. Ensure that network devices are properly configured for the area and physical environment, and are authorized by the administrator
4. Specify the method for exchanging confidential information. Data must be encrypted to ensure security
5. Install server equipment in appropriate areas and grant only the relevant personnel rights
6. Set up the necessary equipment to effectively and efficiently prevent system interruptions. Thus, the system can be restored within a reasonable duration.
7. Create a system for recording usage history, a work status notification system, and an operating manual to help relevant personnel to operate and maintain related equipment efficiently

Besides, the company provides knowledge and understanding evaluations in accordance with information system and communication network usage policies, as well as network security practices. Every new employee will receive orientation training, which will cover topics such as information system utilization and cyber security.

1. The administrator verifies the security settings of the firewall device after each firmware update, and records the results in the firewall firmware update control registry.
2. Every time a new patch is updated, the administrator generates a written report that records the results of patch installation tests on critical systems such as operating systems, application systems, database systems, and network devices.
3. Administrators check the availability of network devices daily, inspect resource areas on the system, and report server status on a monthly basis.

1. The company specifies how to properly use storage media for data security. If connected to a computer, the device should be checked before each usage.
2. If any irregularities are found or if viruses, malware, spamware, or ransomware are found, the employees should notify the information department as soon as possible.
3. Prohibit the dissemination or disclosure of company information in order to prevent its use externally to business.

1. The company requires penetration testing to evaluate and improve the quality of the security system by identifying and resolving errors and problems that occur. Testing is critical for security protection because it ensures that the system is accurate, complete, effective, and ready for application, as well as promoting confidence in users.
2. The company has created emergency plans for critical systems that support ongoing business operations, virus attacks, and network threat threats.
3. Testing the Plan: On an annual basis, some or all of the plan is tested to ensure that the organization is prepared and capable of restoring critical business operations within the specified period of time. For organizations with critical operations, the plan is examined annually using simulated scenarios, which are to ensure that the loss of key factors is tested every two years. Any errors in the plan examination shall be addressed within three months of the test date. If the follow-up cannot be completed within the specified timeframe, the DRP Response Team shall collaborate together to find solutions as soon as possible. The plan is reviewed and the cyber incident response process is enhanced at least once a year.

The company's Information system performance in 2024

Self-assessment based on the Cobit Framework guidelines

100% of IT infrastructure is certified according to international IT standards

There are no complaints regarding data security or cyberattacks.

Non affected or damaged by cyberattacks