Information Security

Phison issued its “Information Security Policy” and consistently received ISO27001 certification to ensure the confidentiality, integrity, and availability of information assets. The Company shall continue to strengthen all-round information security protection, from a personal to organizational level. The Company received no complaints of customer data leaks or privacy violations in 2021.

Information Security Committee

In 2017, Phison Electronics established the Information Security Committee, with the President serving as the representative of information security management, regularly reporting the Company's information security system performance to the highest level of management and reviewing the Company's information security policies and goals. An information security response team was established under the committee with members from various departments. Committee members are required to attend regular information security response training. They are in charge of planning information security crisis response procedures and for convening relevant personnel to conduct planned drills.

Information Security Committee Structure

Information Security Policies and Emergency Response Mechanisms

To maintain the confidentiality, integrity, and applicability of Phison's assets and protect users' information privacy, we clearly stipulated in our information security policies that employees shall avoid unauthorized access and revisions while respecting intellectual property rights and protecting the information of customers and the Company. Anyone who discovers information security incidents or suspicious security weaknesses should report them to the Information Department through our reporting mechanism, at which point our Information Department personnel will conduct proper investigations and handle the matter appropriately.
It is the responsibility of all Phison personnel to follow our Information Security Policies. Company personnel who violate our information security policies shall face civil, criminal, or administrative responsibilities according to the severity of the violation, or penalties according to relevant rules. The policies are also integrated with the Company's employee performance evaluation to reduce instances of employees being penalized or facing legal responsibilities due to information security violations and also reduce the Company's information security risks.

Reporting procedures for suspicious information security risks

In accordance with ISO27001 certification guidelines, the Company conducts annual internal audits as well as external audits conducted by third-party verification agencies. No major errors have been found in recent years. We also perform information system recovery mechanism drills to test the effectiveness of our information system recovery procedures to ensure that the Company's system can continue to operate even if subject to natural disasters or malicious attacks. The Company also frequently scans for vulnerabilities. We officially introduced the Security Scorecard information security system in August 2019, and through continuous upgrades and enhancements, the Company achieved an A rating (a score of 90 or above) in 2020.

Information Security Education Training

The Information Department at Phison Electronics organizes the Company's internal information security education training, conducting quarterly information security announcements and training to raise the information security awareness of all Phison personnel. The 2020 Information Security Notice issued by the Information Department covers the prevention of business email compromise (BEC) scams, the prevention of and response to leaked personal information, and the avoidance of phishing sites and email viruses. This year's information security education training includes 44 information security-related courses covering topics like the importance and responsibility of information security, information security incident reporting channels, analysis of information security trends and threats, domestic and foreign case studies, overview of the Computer-Processed Personal Data Protection Law, overview of AEO information technology security, and personnel information security guidelines. A total of 541 people participated in the training, with training hours totaling 13,199.5 hours.