Corporate Governance

Home> Investor>Corporate Governance>Information Security Risk Management

Information Security Risk Management Framework

Information Security Management Measures


In order to implement information security management, the company has formulated a computerized information system processing cycle and information security management specifications. The information center performs various information security work. The processing policy is as follows.

2. Scope of application:

Applicable to all employees of the company.

3. Responsibilities:

The Information Section is responsible for supervising the management of software and hardware, and computer users in all relevant departments must strictly follow this management method.

4. Hardware security rules:

4.1 Hardware range:Computer and peripheral equipment, network equipment, video equipment, communication equipment. Such as: computers, printers, barcode machines, barcode readers, scanners, digital cameras, HUBs, optical fibers, projectors, cameras, etc.
4.2 Hardware acquisition process:

Execute according to "IC-05-CF01 Fixed Assets Purchase Operation", "IC-05-CF02 Fixed Assets Purchase Operation" and "IC-05-CF02 Fixed Assets Acceptance Operation"

Note: The user is the custodian of the computer after signing for the hardware equipment, and will be responsible for the safekeeping of the hardware equipment in the future.

4.3 Change of computer custodian Execute according to "IC-05-CF08 Fixed Assets Disposal and Change Operation".       

4.4 Precautions for use

4.4.1 Users are not allowed to open the main case of the computer without the consent of the Information Section, and install any accessories (including private accessories) such as sound cards, CD players, etc. Violators will be punished according to their circumstances.

4.4.2 If the user has any abnormality or abnormality in the hardware equipment, he must immediately notify the information department to deal with it, and must not dismantle and repair it by himself. Violators will be punished according to the circumstances.
4.4.3 The hardware is the company's assets. If the hardware equipment is lost or damaged, the custodian shall be responsible for the relevant compensation. Anyone who intentionally damages or steals the equipment will be expelled and punished in addition to compensation.
4.4.4 If the computer custodian allows others to use its hardware equipment without authorization, causing violations, the user and the custodian shall be punished together. If the hardware equipment in custody is misappropriated by others, resulting in violations, the custodian is obliged to take the relevant responsibilities.
4.4.5 Without the consent of the custodian, the computer equipment of others shall not be used without authorization. Violators shall be punished according to the circumstances.
4.4.6 Without the consent of the Information Division, users and custodians are not allowed to change the relevant settings of the hardware equipment. Violators will be penalized for demerit, and those who cause inconvenience to others will be punished more severely.
4.4.7 Computer users are not allowed to use the computer to print non-related business information such as novel articles, landscape pictures, etc. Violators will be punished according to their circumstances.
4.4.8 The computer equipment is used for the company's office, and it is not allowed to be used for public or private purposes, or to do things unrelated to work (such as playing games, chatting online) and non-company work. Violators recorded the above penalties.
4.5 Maintenance of hardware

4.5.1 The user needs the information personnel to carry out the maintenance of the information equipment, inform the information personnel by telephone, and explain in detail the contact person and method, the type of equipment, and the description of the fault.
4.5.2 When the information department personnel receive the user's call for repair, they must confirm and deal with the user's repair problem as soon as possible. If the hardware needs to be replaced, the information department will inform the user of the specific fault, and the user will issue a request according to the purchase process. Purchase order, the information department should arrange replacement in time after receiving the accessories.

5. Security rules for core information equipment

5.1 Separate independent logical domains (such as internal or external networks and firewalls, etc.) according to the needs of network services, separate development, testing and formal operating environments, and establish appropriate information security protection controls for different operating environments measure.

5.1.1 Regularly conduct security scans on important equipment.

5.1.2 Penetration testing of important equipment is carried out on a regular basis.
5.1.3 Perform source code scanning security testing before the system goes online.
5.2 Have the following information security protection control measures:

5.2.1 Antivirus software.

5.2.2 Network firewall.

5.2.3 If there is an email server, it has an email filtering mechanism.

5.2.4 Intrusion detection and defense mechanism.

5.2.5 If there is a core information communication system for external services, it shall have an application firewall.

5.2.6 Advanced persistent threat attack defense measures.

5.2.7 Information Communication Security Threat Detection Management Mechanism (SOC).

6. Information software and information security rules

6.1 Incorporate information security requirements into the requirements specifications for the development and maintenance of the information communication system, including smart data access control, user login authentication, and user input and output inspection and filtering.

6.2 Regularly carry out the security requirements test of the information communication system, including smart data access control, user login authentication and user input and output inspection and filtering test

6.3 Properly store and manage information system development and maintenance related files.

6.4 Establish appropriate protective measures for the processing and storage of sensitive data, such as: physical isolation, dedicated computer operating environment, access rights, data encryption, transmission encryption, data shielding, personnel management and processing specifications, etc.

6.5 Develop management procedures for on-the-job, on-the-job and resignation, and sign a confidentiality agreement to clearly inform confidentiality matters.

6.6 Establish operational regulations for user pass code management, such as: default password, password length, password complexity, password history, password shortest and longest validity period, and a login failure locking mechanism, and evaluate the adoption of multi-authentication technology in the core information communication system .

6.7 Regularly review privileged accounts, user accounts and permissions, and disable accounts that have not been used for a long time.

6.8 Establish appropriate monitoring measures for the information communication system and related equipment, such as: authentication failures, failures to access resources, important behaviors, important data changes, functional errors and administrator behaviors, etc., and establish appropriate protection mechanisms for logs.

6.9 Establish appropriate management measures for projects such as security control, personnel entry and exit control, and environmental maintenance (such as temperature and humidity control) in computer rooms and important areas.

6.10 Pay attention to security vulnerability notices, patch high-risk vulnerabilities in real time, and regularly evaluate and handle security vulnerability repairs for equipment, system components, database systems, and software.

6.12 Develop security control procedures for information equipment recycling and elimination to ensure that sensitive data is indeed deleted.

6.13 Develop operating instructions for information hardware and software, such as: software installation, e-mail, communication software, ERP and operation specifications for the sign-off system.

Information Architecture Management Solution

In order to reduce the risk of information security, and to eliminate the abnormality in the shortest time when the incident occurs, and maintain the normal operation of the company, the information security management will be carried out from the following aspects.

Information Architecture Management Specific Program

1. External Risk Defense

(1) The network administrator checks whether the firewall hardware is running normally every day, including indicator lights, lines, noise, etc.

(2) The network administrator regularly checks the firewall operation log, mainly including whether there is any hardware error or warning in the log.

(3) The network administrator regularly checks the external intrusion log of the firewall to check whether there is any external illegal IP intrusion, and prepares protection strategies.

2. Internal audit management

(1) Each department fills in the "Internal Resource Permission Application Form" according to the actual work needs. After the approval of the supervisor at or above the professional level (inclusive) of the department, the Information Department will carry out the permission setting operation.

(2) Due to the change in the nature of the work, it is necessary to change the access authority of the department's resources, fill in the "Application Form for Internal Resource Permission", and after the approval of the supervisor of the department (inclusive) or above, the information department will carry out the authority setting operation.

(3) Due to changes in the nature of the work, it is necessary to apply for non-departmental resource access rights, fill in the "Internal Resource Permission Application Form", and be approved by the supervisor of the department (inclusive) or above and the supervisor of the department to be visited (inclusive). Afterwards, the information department carries out the permission setting operation.

(4) Non-company employees are not allowed to open access rights.

3. Emergency Response Mechanism

When an emergency occurs, system administrators and network system administrators must immediately detect the failure of various information equipment, fill in "ESON ITS EMERGENCY CASE REPORT" in accordance with the computer room management operation specifications and report it to the head of the information department, and take the following contingency measures:

(1) Enable backup equipment to restore the network and communication system. If there is no backup equipment, Kunjing will notify the maintenance manufacturer to provide backup equipment and restore the network and communication system.

(2) Send the faulty information equipment to the maintenance manufacturer for repair. If it cannot be repaired, write a signature and submit it to Kunming for urgent procurement.

(3) After the abnormality is resolved and restored, notify the relevant users to re-execute the transaction operation or perform data backup and recovery.

  • ESON headquarters:No. 88, Yuanfeng Rd., KSND. Kunshan City, Jiangsu, China

  • Branch: Taiwan / Subsidiary: Wuxi, Yantai, Dongguan, Slovakia, Mexico, Vietnam, Malaysia First Plant, Malaysia Second Plant

  • +86-512-57572938

COPYRIGHT (O) 2021.ESON Precision Engineering Co. Ltd. 蘇ICP備11060543號-1

Technical Support:Wanhe Technology