Information Security

The Company established the Information Security Committee with 3 information security personnel, held quarterly information security meetings, and held an information security management review meeting every year. The President serves as the representative of information security management, regularly reporting the Company's information security system performance to the highest level of management and reviewing the Company's information security policies and goals.

In 2017, the Company issued its “Information Security Policy, which specifies rules for employees to abide by, strictly implementing information security policies and measures to protect customer privacy to ensure that the Company’s trade secrets and customer information are not leaked. The Company has also consistently received ISO 27001 certification to ensure the confidentiality, integrity, and availability of information assets. In addition, the Company continues to require all departments to complete the annual "personal data protection risk self-assessment" and submit the assessment results to the Risk Management Committee. The Company received no complaints of customer data leaks or privacy violations in 2022.

The Company issued its “Information Security Policy” and formulated the "Information Security Management and Control Operation Procedures", consistently receiving ISO27001 certification to ensure the confidentiality, integrity, and availability of information assets. The Company shall continue to strengthen all-round information security protection, from a personal to organizational level. The Company received no complaints of customer data leaks or privacy violations in 2021. The Company successfully joined the TWCERT Information Security Alliance in July 2022. After that, we received information security information from the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) from time to time to strengthen information protection, and reviewed internal devices, system updates, or patch vulnerabilities.

Information Security Policies and Emergency Response Mechanisms

To maintain the confidentiality, integrity, and applicability of Phison's assets and protect users' information privacy, we clearly stipulated in our information security policies that employees shall avoid unauthorized access and revisions while respecting intellectual property rights and protecting the information of customers and the Company. Anyone who discovers information security incidents or suspicious security weaknesses should report them to the Information Department through our reporting mechanism, at which point our Information Department personnel will conduct proper investigations and handle the matter appropriately.
It is the responsibility of all Phison personnel to follow our Information Security Policies. Company personnel who violate our information security policies shall face civil, criminal, or administrative responsibilities according to the severity of the violation, or penalties according to relevant rules. The policies are also integrated with the Company's employee performance evaluation to reduce instances of employees being penalized or facing legal responsibilities due to information security violations and also reduce the Company's information security risks.

Reporting Procedures for Suspicious Information Security Risks

In accordance with ISO 27001 certification guidelines, the Company conducts an annual internal audit, followed by an external audit conducted by a third-party certification. No major deficiencies have been found in recent years. We also perform information system recovery mechanism drills to test the effectiveness of our information system recovery procedures to ensure that the Company's system can continue to operate even if subject to natural disasters or malicious attacks. In 2022, the Company expanded the scope of ISO 27001 certification to further cover the supply chain management platform, electronic approval system, the development, operation, and maintenance of the official website, and email management and support activities, making the Information Security Management System more comprehensive and sound. The Company also frequently scans for vulnerabilities. We officially introduced the Security Scorecard information security system in August 2019, and through continuous upgrades and enhancements, the Company remained at A rating (a score of 90 or above)

Information Security Education Training

The Company's Information Division organizes internal information security education and training, and quarterly announces and disseminates information about information security, so as to raise the information security awareness of all employees. The topics specified on the information security notification issued by the Information Technology Div. in 2022 include the association of ransom software attack events with cyber phishing, social engineering drill, ransom virus case study, and anti-fraud publicity. In 2022, the contents of information security training courses include enterprise information security trends, dissemination of most recent cases, information security policy, and code of personnel information security conduct (employee training hours totaling 532 hours), while the contents of training courses on personal data/privacy include introduction of the Personal Information Protection Act, and EU's GDPR regulations and case review (employee training hours totaling 2,707 hours). 100% employees have completed the information security courses and the personal data/privacy protection courses.

Information Security Risk Management Plan