Information Security Management Policy
Information Security Management Policy
AOT is committed to safeguarding the confidentiality, integrity, availability, and legality of its information assets. Understanding that robust information security is vital to maintaining a competitive advantage and ensuring organizational longevity, AOT is dedicated to implementing and maintaining effective information security management practices. This includes continuously enhancing our capabilities to protect sensitive information, increasing employee awareness, and fostering vigilance concerning information security. We strive to prevent unauthorized use, disclosure, alteration, or loss of information due to human error, deliberate sabotage, or natural disasters. Our goal is to protect the interests of the company, its shareholders, employees, customers, and suppliers.Information Security Management Objectives
- Conduct Annual Information Security Training: Facilitate comprehensive information security training sessions at least once per year and periodically disseminate and promote information security updates to reinforce employee awareness and accountability regarding information security responsibilities.
- Perform Annual Internal Audits: Execute internal audits of information security protocols annually to ensure adherence to established security practices and verify effective implementation.
- Implement Annual Disaster Recovery Drills: Conduct disaster recovery exercises annually to ensure familiarity with recovery procedures and mitigate potential operational disruptions.
- Ensure High System Availability: Guarantee that critical operational systems achieve a minimum availability rate of 99.7% following planned maintenance activities each year.
- Prevent Data Leakage Incidents: Maintain a record of no incidents involving the leakage of critical business data to safeguard the interests of the company, its clients, and its stakeholders.
Information Security Risk Management Framework
- The dedicated information security team is tasked with the oversight and execution of the company’s information security policies, the promotion of information security awareness, and the enhancement of employee understanding regarding security responsibilities. This team is responsible for regularly reporting information security outcomes to the Chief Information Security Officer (CISO) and the General Manager. Furthermore, the CISO will deliver an annual report to the Board of Directors on information security governance matters, including the evaluation and verification of the effectiveness of internal controls over information operations. This framework aims to ensure the confidentiality, integrity, and availability of information by establishing a “Continuous Improvement of Information Security Resilience” management structure to mitigate risks associated with unauthorized access, damage, or leakage.
- To advance ESG (Environmental, Social, and Governance) sustainability, comply with regulatory requirements and corporate governance assessments, and enhance enterprise information risk management and data protection, the company is committed to investing in the upgrading and implementation of information security technologies and solutions. This includes the ongoing integration of ISO/IEC 27001:2022 Information Security Management System standards to bolster organizational resilience, minimize operational risks, and fortify corporate reputation and competitive edge.
Information Security Risk Control
- Evolving Cyber Threats: With the constant evolution of cyberattack techniques, information systems face significant challenges in fully mitigating disruptive attacks from external parties. These attacks may involve methods such as phishing emails, spear-phishing, brute-force attacks, and the deployment of malicious software within the company’s internal network to cause damage or data theft. Destructive attacks could lead to interruptions in production and operations, while data theft attacks may result in the exposure of critical operational data or personal information of employees and customers. The company is proactively planning and implementing information security measures, continuously improving the security environment and infrastructure to mitigate information security risks.
- Management Framework: Employing a Zero Trust Architecture, the management framework encompasses policies and procedures across various domains, including organizational responsibilities, asset management, access control, physical security, personnel security, document management, communications and operations management, system development and maintenance, business continuity management, incident management, and regulatory compliance.
- Technical Measures: Implementing a suite of technical controls, including network firewalls, backup and redundancy systems, antivirus software, regular operating system updates, email security systems, virtual private network (VPN) management, security monitoring systems, and vulnerability scanning tools.
- Audit and Testing: Conducting a comprehensive audit of the company’s information security management system in the first half of the year, and scheduling emergency response plans and disaster recovery drills in the latter half. Annual reviews are conducted to assess information security operations, risk controls, and incident remediation efforts to manage and reduce information security risks.