Information Security Management Framework
KINIK has formulated the “Information Security Policy” for the purpose of strengthening information security management and ensuring the confidentiality, integrity and availability of information assets owned by the Company and those delivered by customers and partners, providing the environment and structure required for the Company's information operations, and preventing intentional or accidental threats whether internally or externally. The Company has also established an information security management system based on actual needs and in compliance with relevant laws and regulations, which the scope of application covers the engine rooms of the Company's plant sites, information services, maintenance and operation(M&O) system and relevant departments and M&O management personnel, to fully control the information operation and management process and meet various security requirements and expectations. In terms of the organizational structure of information security management, the board of directors is the highest governance unit of information security in the Kinik. The MIS Dept. is responsible for implementing Information Security Policies, and report the management results to the CEO and the board of directors on a regular basis to ensure the effectiveness of implementation and policies alignment of management objectives.
Kinik is fully aware of the importance of information security. Therefore, short-, medium-, and long-term information security goals that are linked to Information Security Policies are established to prevent improper use, leakage, alteration, and destruction of data due to human negligence, intentional, or natural disasters to bring various possible risks and hazards to the Company. In the short term, the Company will focus on introducing external network vulnerability scanning and building firewalls to establish a more comprehensive information security protection mechanism. In medium term, the Company will enhance security education and training for employees and set up a dedicated information unit to raise awareness of information security protection among all employees and plans to introduce ISO 27001 to enhance the effectiveness and performance of the information security management system; the long-term goal is to centralize the logs of information security equipment, introduce the program source code information security detection mechanism, and continuously optimize the management process and information security protection capability.
| Information Security Management Measures | ||
|---|---|---|
| Type | Explanatory Notes | Related operations |
| Permission Management | Personnel account, network service permission management, system operation resource permission management |
• Regular audit of employee accounts and password policy
• System accounts are merged into the privileged account management system • Account permission review and management |
| Access control | Control measures for personnel accessing internal and external system resources and data transmission channels | • Internal and external host system resource control and access permission audit measures |
| External Threats | Weakness of internal and external vulnerabilities and protection against poisoning threats |
• Host vulnerability protection and update measures
• Internal and external network protection system • Host endpoint protection and antivirus system protection |
| System Availability | System status alert system notification and monitoring |
• System/network state monitoring and anomaly reporting mechanism
• Network/host outage countermeasures • System data backup and off-site backup mechanism • Regular disaster recovery drill plan |
| Equipment Safety Control | Control of unauthorized and illegal equipment |
• AD system controls authorized equipment
• Asset management system controls legally authorized information equipment |
Implementation of information security protection
Under the “Information Security Policy” and the systematic operation of the information security management framework, and to further protect the rights and interests of all employees, partners and other users and to analyze the impact of potential risk on the Company’s operation, the Company has formulated the “Information Security Management”. The Company has adopted six major categories of information security protection: “Information Security Incident Management, Equipment Operation Continuity Management, Legal Compliance, Internal Audit, Cooperation and Coordination of External Authorities, and Education and Training.”
Principle:
• Establish a formal information security incident reporting procedure to quickly report information security incidents to management personnel for timely response and handling
• Information system related personnel, suppliers, and users must comply with the reporting requirements. As soon as a suspected security vulnerability is discovered or observed, the management personnel shall be notified immediately to prevent further damage.
• The accident management procedures shall include the analysis and identification of the cause of the incident, how to plan for preventive and corrective measures for the incident, and whether it is necessary to collect relevant evidence to report to the competent authority or to prove the damage claim.
• The Company should establish an appropriate assessment and monitoring mechanism for the frequency of incidents, damage, and business losses to prevent recurrence of incidents, and record the process and impact of information security incidents as a basis for responding to future incidents.
Processing procedure:
All units shall implement preventive and recovery measures through the business continuity management process to prevent potential operational disruption risks and ensure that core operational systems and business processes can continue to operate without the impact of disasters.
While implementing policies, relevant operational regulations and standards, the Company should follow and observe the government’s laws and regulations, contracts with upstream and downstream vendors and customers, and internal regulations to ensure compliance with the requirements of corporate security statements, goals and standards. And the Company regularly identifies the relevant laws and regulations that it must comply with, so that all employees can jointly comply with the relevant regulations. For data that can identify a specific individual, the Company follows the “Personal Information Protection Act” regarding the right to autonomous control of personal data, and implements personal privacy and personal data protection.
• Each year, the MIS unit shall conduct a self-audit based on the “Information Security Internal Assessment Form”, and fill in the assessment data with the audit results as required.
• The measures and regulations related to information security shall be evaluated at least once a year to reflect the latest status of laws and regulations, the IT environment, and business, and to ensure the feasibility and effectiveness of information security practices.
• The security of software and hardware should be reviewed and assessed annually to ensure compliance with the standards of the “Information Security Policy.”
• Relevant personnel of the information security organization should strengthen coordination and contact with external information security experts or consultants, collaborate with each other, share experience, assess possible information security threats, develop and promote information security practical measures accordingly.
• Relevant personnel of the information security organization should strengthen coordination and contact with external information security experts or consultants, collaborate with each other, share experience, assess possible information security threats, develop and promote information security practical measures accordingly.
• Relevant personnel of the information security organization should strengthen coordination and contact with external information security experts or consultants, collaborate with each other, share experience, assess possible information security threats, develop and promote information security practical measures accordingly.
Organize information security education and training, and irregular email promotions of the MIS Dept. to promote employees’ awareness of information security and strengthen their awareness of related responsibilities
The company systematically implements management system introduction, internal audits, and training to strengthen information security management. At the same time, the Company regularly commission external organizations to conduct vulnerability scanning and threat diagnosis every year, and based on the results of the assessment and analysis, the Company will carry out policy and technical enhancements to ensure that the Company's operations are not threatened in any way.