管理架構
Framework
台榮產業為強化本公司資訊安全管理、確保資料、系統及網路安全,依照「上市上櫃公司資通安全管控指引」訂定資通安全防護計畫,由本公司資訊企劃課專責負責資通安全相關業務,並於112年依據二級資通安全通報設置資訊安全主管1人及專責資訊安全人員1人。
內部管理架構如下圖 :
To strengthen the information security management of our company and ensure the security of data, systems, and networks, Tairoun Products has formulated an Information Security Protection Plan in accordance with the 'Information Security Control Guidelines for Listed and Over-the-Counter Companies.' The Information Planning Division of our company is responsible for the relevant information security tasks, and in the year 112, one Information Security Manager and one dedicated Information Security personnel were appointed based on the Level 2 Information Security Notification.
The internal management structure is as shown in the diagram :
政策宣示
Policy
台榮產業資通安全管理政策如下 :
一、目的
為增進台榮產業股份有限公司(以下簡稱台榮)資通訊作業安全及穩定之運作,提供可信賴之資通訊服務,確保資訊資產之機密性、完整性及可用性,並順利推展台榮各項業務,以符合資通安全管理法及其子法之規範,特制定台榮產業股份有限公司資通安全政策(以下簡稱本政策)做為台榮資通安全管理最高指導方針。
二、範圍
本政策適用於台榮同仁、接觸台榮業務資訊或提供服務之廠商及第三方人員。
三、目標
(一)確保本公司業務相關資訊之機密性,保障公司機密與個人資料。
(二)確保本公司業務相關資訊之完整性及可用性,提高作業效能與品質。
(三)配合國家及本政策之推動,提昇資通安全防護能力。
(四)符合國家法令與本公司之規範,達成業務持續運作之目標。
四、策略
(一)應考量相關法律規章及營運要求,評估資通訊作業安全需求,建立相關程序,以確保資訊資產之機密性、完整性及可用性。
(二)建立本公司資通安全組織並訂定分工權責,俾利推行資通安全作業。
(三)依資通安全責任等級分級辦法之規定執行各項應辦事項。
(四)建立資通安全事件通報應變機制,以確保資安事件妥善回應、控制及處理。
(五)定期執行資通安全稽核作業,以確保資通安全管理落實執行。
五、審查
本政策由總經理核定,每年至少評估一次,或於組織有重大變更時(如組織調整、業務重大異動等)重新評估。依評估結果、相關法令、技術及業務等最新發展現況,予以適當修訂。修訂時亦須報總經理核定。
Tairoun Products Co., Ltd. Information Security Management Policy
1. Purpose
The purpose of formulating the Information Security Policy of Tai Rong Industrial Co., Ltd. (hereinafter referred to as "Tai Rong") is to enhance the security and stability of information and communication operations, provide reliable information and communication services, ensure the confidentiality, integrity, and availability of information assets, and promote various business activities of Tai Rong smoothly. This policy is established as the highest guiding principle for information security management at Tai Rong in accordance with the regulations of the Information Security Management Act and its subsidiary laws.
2. Scope
This policy applies to Tai Rong employees, vendors and third-party personnel who have access to business information or provide services to Tai Rong.
3. Objectives
- Ensure the confidentiality of business-related information, safeguarding company secrets and personal data.
- Ensure the integrity and availability of business-related information, enhancing operational efficiency and quality.
- Align with national and policy-driven initiatives to enhance information security capabilities.
- Comply with national laws and regulations as well as the company's standards to achieve the goal of continuous business operations.
4. Strategies
- Consider relevant legal regulations and operational requirements, assess the security needs of information and communication operations, establish related procedures to ensure the confidentiality, integrity, and availability of information assets.
- Establish the company's information security organization and define roles and responsibilities to facilitate the implementation of information security operations.
- Implement various mandatory tasks according to the classification of information security responsibilities.
- Establish an information security incident reporting and response mechanism to ensure proper response, control, and handling of security incidents.
- Conduct regular information security audits to ensure the effective implementation of information security management.
5. Review
This policy is approved by the General Manager and is reviewed at least annually, or when there are significant organizational changes (such as organizational restructuring, significant business changes, etc.). It is subject to appropriate revisions based on the evaluation results, relevant laws and regulations, technological advancements, and the latest developments in business. Any revisions must also be approved by the General Manager.
安全計畫
Security Plan
台榮產業依據資通安全管理法第10條及施行細則第66條訂定「台榮產業股份有限公司資通安全維護計畫」,計畫適用範圍涵蓋全公司,依據該計畫每年執行各項資工安全工作,包括防火牆維護、同仁上網控管機制、防毒作業、系統更新、資料備份、資通安全教育訓練、社交工程演練等各項工作,並將執行狀況定期向董事會報告,每年亦依據執行狀況檢討修正資通安全防護計畫,以其確保本公司各項資通安全之硬體、軟體及人員心態均維持在最佳狀態。
此外,資通安全計畫亦制定緊急狀況的通報程序,當資訊安全事件發生時,游資安人員通報主管,並依法規通報相關單位,本公司亦申請加入「台灣資安聯盟」,透過聯盟的協助,共同維護資通安全。
Tairoun Products Co., Ltd. has established the "Information Security Maintenance Plan" in accordance with Article 10 of the Information Security Management Act and Article 66 of the Enforcement Rules. The plan applies company-wide, and each year, various information security tasks are executed in accordance with the plan. These tasks include firewall maintenance, employee internet access control mechanisms, antivirus operations, system updates, data backups, information security education and training, social engineering drills, and other related activities. The execution status is regularly reported to the Board of Directors, and the information security protection plan is reviewed and amended annually based on the execution status. This ensures that the hardware, software, and personnel mindset related to various information security aspects of the company are maintained in optimal conditions.
In addition, the Information Security Plan also outlines emergency notification procedures. In the event of an information security incident, the IT security personnel report to their supervisors and, in compliance with regulations, report to relevant authorities. The company has also applied for membership in the "Taiwan Information Security Alliance." Through the assistance of the alliance, the company collaborates to uphold information security collectively.
執行情況
Execution
112年主要執行項目
1. 完成全公司資料異地及雲端備份作業。
2. 完成設置台榮產業雲端硬碟,使各項資料均可完整備份。
3. 完成總公司及雲林廠個人電腦更換及升級作業。
113年工作規劃
1. 總公司、雲林廠、高雄廠防火牆設備及軟體更新作業。
2. 全公司資通安全教育訓練。
3. 持續更新各廠區個人電腦設備。
4. 重新規劃各廠區資訊機房。
5. 檢討各廠區網路設備及網路規劃。
6. 社交工程演練。
In the year 2023:
1. Completed the offsite and cloud backup operations for the entire company.
2. Completed the setup of Tairoun Products' cloud drive to ensure comprehensive data backup.
3. Completed the replacement and upgrade of personal computers at the headquarters and Yunlin factory.
Work Plan for the year 2024:
1. Firewall equipment and software updates for the headquarters, Yunlin factory, and Kaohsiung factory.
2. Company-wide information security education and training.
3. Ongoing updates to personal computer equipment across all factories.
4. Reorganization of information rooms in each factory.
5. Review of network equipment and network planning in each factory.
6. Social engineering drills.