Select your language
Information Security
The Company issued its "Information Security Policy", which specifies rules for employees to abide by, strictly implementing information security policies and measures to protect customer privacy to ensure that the Company's trade secrets and customer information are not leaked. The Company has also consistently received ISO 27001 certification to ensure the confidentiality, integrity, and availability of information assets. There were no major cybersecurity incidents in our company in 2024, nor did any lead to the loss of customer or related information.
Information Security Policies and Emergency Response Mechanisms
To maintain the confidentiality, integrity, and applicability of Phison's assets and protect users' information privacy, we clearly stipulated in our information security policies that employees
shall avoid unauthorized access and revisions while respecting intellectual property rights and protecting the information of customers and the Company. Anyone who discovers information
security incidents or suspicious security weaknesses should report them to the Information Department through our reporting mechanism, at which point our Information Department personnel will conduct proper investigations and handle the matter appropriately.
It is the responsibility of all Phison personnel to follow our Information Security Policies. Company personnel who violate our information security policies shall face civil, criminal, or administrative responsibilities according to the severity of the violation, or penalties according to relevant rules. The policies are also integrated with the Company's employee performance evaluation
to reduce instances of employees being penalized or facing legal responsibilities due to information security violations and also reduce the Company's information security risks.
Reporting Procedures for Suspicious Information Security Risks
In accordance with ISO 27001 certification guidelines, the Company conducts an annual internal audit, followed by an external audit conducted by a third-party certification. No major deficiencies have been found in recent years. The Company regularly conducts recovery drills on important core systems every year to test the effectiveness of their recovery procedures, ensuring that the Company's system can continue to operate even if subject to natural disasters or malicious attacks. The Company also performs regular vulnerability scanning and has in place a third-party security risk analysis platform to detect vulnerabilities in external service sites, continuing to improve and strengthen information security protection. The ratings are all maintained at level A (90 points and above). Besides, the Company joined the Taiwan Computer Emergency Response Team/Coordination Center(TWCERT/CC) information security alliance, enhanced information security protection by using the information security information sent from the TWCERT/CC, examined each piece of internal equipment, updated systems, and fixed vulnerabilities.
Information Security Education Training
The Information Technology Division coordinates the planning of internal information security education and training for our company, and conducts quarterly information security announcements and promotions, dedicated to enhancing colleagues' information security awareness. In 2024, the Information Technology Division's security notification topics include sharing about deepfake technology scams, prohibition of photographing or capturing company sensitive data, social engineering drills, and anti-fraud information promotion. The content of information security education and training in 2024 includes information security introduction, information security incident reporting channels, information security threats and prevention, personnel information security guidelines, and social engineering attack prevention awareness promotion (total employee training hours were 4,842 hours), with 100% of all employees completing the information security courses.
Information Security Risk Management Plan
