Information Security Protection

Information Security Policy

Strengthen Information Security, Enhance Service Quality

Reinforce Cybersecurity Training, Ensure Business Continuity

Improve Emergency Response, Build Organizational Resilience

   

Shihlin Electric has established a formal Information Security Policy, under which all employees are obligated to actively support and implement information security measures. The purpose is to ensure the secure operation of all company data, IT systems, devices, and networks, and to embed a culture of information security awareness and responsibility throughout the organization. This contributes to the company’s overarching goal of ensuring uninterrupted business operations. To further enhance its information security management and safeguard personal and customer data, Shihlin Electric obtained ISO 27001 certification in February 2025. This achievement reflects the company’s commitment to building a comprehensive cybersecurity framework and implementing governance standards to effectively control security risks, while minimizing the probability and impact of cybersecurity incidents. In response to the revised "Regulations Governing the Establishment of Internal Control Systems by Public Companies" issued by the Financial Supervisory Commission (FSC), Shihlin Electric has, since 2023, appointed a dedicated Chief Information Security Officer (CISO) and supporting personnel. The company is also planning to establish a Group-level Information Security Management Committee to oversee and coordinate all cybersecurity-related initiatives and ensure compliance across the organization.

SO/IEC 27001:2022 – Certified Information Security Certified Unit: Information Technology Department Certificate Validity Period: Until February 12, 2028

Information and Communication Security Framework

Information Security Control Measures

Management Area

Specific Control Measures

Management Area

•   Perform irregular assessments or penetration tests to evaluate network security.

•   Regularly or promptly patch identified vulnerabilities in the network environment.

•   •Critical internal websites and application systems must be isolated from the external internet by firewalls.

•   Data transmitted over networks should be encrypted by default.

•   Implement internet usage policies and filtering systems to block access to malicious websites.

Access Control for Information Systems

•   Enforce access control settings for databases and file systems.

•   User IDs and passwords must follow company password policies: minimum length of 8 characters, complexity requirements, and password renewal every 60 days.

•   Upon employee termination, the IT department must disable or delete user accounts immediately based on the official resignation date.

Computer System Security Managemen

•   All servers and personal computers must be equipped with antivirus software that auto-updates virus definitions.

•   Implement email security modules, such as spam filters, malware detection, and attachment control, to strengthen email security.

•   In the event of system failure, cybersecurity incident, or business recovery need, restoration must follow the system-specific recovery procedures, which must be documented and approved by relevant supervisors.

•   Perform regular disaster recovery drills for critical information systems.

Data Backup

•   Conduct daily database backups.

•   Clearly label backup files with the backup date, system name, and data contents, and store them off-site.

System Availability

•   Establish high-availability mechanisms for critical information systems.

•   Perform daily full backups of application system programs.

Information Security Training and Awareness

 To ensure the effective implementation of information and communication security (ICS) management and enhance employee awareness, Shihlin Electric conducts annual information security training programs for all staff. These efforts are aimed at instilling the concept that "Information security is everyone's responsibility", helping employees recognize the importance of cybersecurity, comply with relevant policies, and improve their incident response capabilities to mitigate risks and support business continuity. The company includes information security modules in its onboarding training for all new employees and holds regular refresher sessions for existing staff. Employees who have not previously attended ICS training are prioritized each year. Information security updates and reminders are regularly communicated to all personnel to reinforce awareness. In addition, the company conducts irregular cybersecurity drills to raise employee alertness and periodic emergency response exercises to ensure a rapid recovery in the event of system failures or major incidents. These drills test the resilience of the organization and ensure that critical business operations can continue under adverse conditions. Emergency response scenarios cover key ICS failure situations, such as: UPS failure during power outages, Database corruption, ERP application virtual host failure, Hardware failures in database servers, Storage system malfunctions, Core network switch failure, Firewall outages ICT service interruptions. During each drill, system owners are responsible for executing response actions such as system failover, data backup, and restoration, based on the specific scenario. All drills are required to meet the Recovery Time Objective (RTO) of within 4 hours, ensuring system resilience and operational reliability.。

Information and Communication Security Training – 2024 Overview

Phishing Simulation Drill

  • Date: April 27, 2024
  • Activity Name: Phishing Email Simulation
  • Target Audience: All employees
  • Participants: 1,532
  • Purpose: To enhance employees' awareness and response to email-based social engineering threats.

Employee Cybersecurity Awareness Training

  • Dates: June 28 and November 21, 2024 Sessions: 5 training sessions (1 hour each)

  •  

    Activity Name: Employee Information Security Training

  • Target Audience: Selected employees, prioritizing those who have not received prior cybersecurity training

  •  

    Participants: 142

  •  

    Objective: To reinforce understanding of corporate security policies, risk prevention, and incident reporting.

Cybersecurity Emergency Response Drills

  • Frequency: Conducted according to scheduled internal audit cycles
  • Drill Scenarios: Uninterruptible Power Supply (UPS) simulation, ERP system database failure and recovery, ERP system application virtual host failure, ERP system database server hardware failure, ERP system storage device failure, Core network switch failure, Server farm firewall failure, ICT service outage recovery, Target Audience: Designated system owners and technical personnel.
  • Participants: 6
  • Recovery Objective: Each drill aimed to meet the internal Recovery Time Objective (RTO) of 4 hours.

Participation in External Cybersecurity Seminars

  • 由Participants: 3 dedicated cybersecurity personnel Training Coverage Rate: 100%
  • Purpose: To stay up-to-date with industry developments and regulatory trends in information security.

 

      為To safeguard customer privacy, Shihlin Electric has established Personal Data Protection Management Regulations that govern the processes of collecting, processing, duplicating, utilizing, transmitting, filing, deleting, and destroying personal information. These procedures provide clear guidance on the proper handling of customer data and outline specific responsibilities related to data protection. The company regularly educates relevant employees to ensure that personnel at all levels are familiar with the regulatory requirements and internal policies regarding data privacy. All sales, marketing, and promotional activities are conducted in strict compliance with the Fair Trade Act, the Personal Data Protection Act, the Trademark Act, and applicable regulations issued by the National Communications Commission (NCC) and other relevant authorities.

 

TISAX Certification – Automobile Equipment Bussiness Group

In response to the increasing frequency of cybersecurity incidents within the automotive industry, European automakers have accelerated the requirement for suppliers to obtain certification under the Trusted Information Security Assessment Exchange (TISAX) framework, based on the VDA Information Security Assessment (VDA ISA). Shihlin Electric’s Automobile Equipment Bussiness Group obtained its first TISAX Level AL2 certification in July 2022. The business group completed its third recertification audit in December 2024, and is expected to pass the verification process and update the validity label on the TISAX platform by March 2025. This achievement not only fulfills key customer requirements but also strengthens opportunities to expand within the European automotive market, while enhancing the group’s internal information security governance.

Cybersecurity Governance Progress

Shihlin Electric continues to advance its cybersecurity management practices by implementing the following key measures: Information asset inventory and classification, Annual information security risk assessments, Internal cybersecurity audits, ISMS (Information Security Management System) reviews and improvements. These efforts are designed to support a continuous improvement cycle under the ISMS framework, ensuring the identification of security risks and the formulation of corresponding mitigation strategies.。

Information Asset Inventory and Risk Assessment Course

Contact:Sustainable Development Division ESG@seec.com.tw

Subscribe to newsletter

訂閱服務確認

已發送 Email 驗證信給你,請點擊信件連結以完成訂閱程序

訂閱失敗

暫時無法接受訂閱,請稍候重新嘗試