Information Security Management
Information security and privacy controls have become an essential part of business. Ennostar and all subsidiaries have formulated information security policies to protect client privacy as part of our responsibilities and to prevent unauthorized use of computer systems in accordance with the “Regulations for Protection and Management of Personal Information.” Users of all departments are required to apply for user codes and applications, and can only obtain formal access to computer systems following approval by unit managers and information technology office managers. Personnel not involved in operations are unable to obtain customer information. Our parent company has established a dedicated information security management department responsible for information security maintenance, information security frameworks, information security policies, and other information security projects and review procedures to lead our subsidiaries in joint realization of Ennostar information security goals. We have also established an “Information Security Committee” under the ESG Committee to oversee the information security systems of our parent company and subsidiaries; the Committee meets stakeholder requirements and expectations for information through regular identification of external information security management risks.
√ We received no complaints relating to infringement of client privacy rights or client information losses in 2022.
Information Security Management Framework
We established an “Information Security Management and Review Committee” to review all information security implementation strategies, goals, and performance; enhance information security goals and management levels; and provide clear stipulations of information security policies and related regulations. To align with legal regulations, technical needs, stakeholder expectations, and operational strategies, all employees are required to undergo information security training, comply with the “Regulations for Information Classification, Protection, and Management,” and fulfill their responsibilities as a good-faith manager.
We have also established an “Information Security Execution Team” to disseminate information security concepts throughout the Group, as well as regular drills and information classification systems for incident management. We conduct annual drills for ransomware scenarios to strengthen employee understanding of incident responses and to speed decision-making and notification procedures during incidents.
Information Protection Processes and Verifications
To ensure information security, achieve the quality expected by our customers, and protect customer privacy, the Group adhered to ISO 27001 requirements in formulating corporate information protection and management processes. Ennostar obtained ISO 27001 Information Security System verification in 2022 and established information security procedures which comply with international standards. Our subsidiary EPISTAR obtained ISO 27001 Information Security System verification in 2010 and our subsidiaries Lextar and Unikorn plan to obtain verification in 2023. We hope that these international verifications can reduce corporate information security threats, establish the highest standards for protection of confidential information, and constitute the most rigorous information security system to protect customer intellectual property rights, process parameters, and other confidential information.
To reduce possibilities and impacts of risk incidents, the Group actively implements management systems and risk response measures. We not only incorporate third-party information security risk assessments, but also conduct routine inventories of information assets, account checks, and internal audits each year, and convene information security management and review meetings attended by our president and managers from relevant units. EPISTAR and Lextar also conduct business continuity drills once every year. At present, all Group subsidiaries have received A ratings on third-party risk assessments, exceeding average industry ratings.
Information Security Verification Framework
Information Security Training
- Dedicated information security personnel are required to undergo more than 14 hours of information security education and training each year.
- All new employees are required to complete corporate information security training before they can apply for access to external networks, ensuring that our colleagues clearly understand our information security policies.
- We conduct non-periodic phishing email information security drills for all Group employees each year, and colleagues who have been taken in by phishing scams are required to attend phishing courses and pass course exams to reduce impacts of viral attacks and confidential information leakages on the Group and other colleagues. The training attendance rate for 2022 was 100%.