管理架構
Framework
台榮產業為強化本公司資訊安全管理、確保資料、系統及網路安全,依照「上市上櫃公司資通安全管控指引」訂定資通安全防護計畫,由本公司資訊企劃課專責負責資通安全相關業務,並於112年依據二級資通安全通報設置資訊安全主管1人及專責資訊安全人員1人。
內部管理架構如下圖 :
To strengthen the information security management of our company and ensure the security of data, systems, and networks, Tairoun Products has formulated an Information Security Protection Plan in accordance with the 'Information Security Control Guidelines for Listed and Over-the-Counter Companies.' The Information Planning Division of our company is responsible for the relevant information security tasks, and in the year 112, one Information Security Manager and one dedicated Information Security personnel were appointed based on the Level 2 Information Security Notification.
The internal management structure is as shown in the diagram :
政策宣示
Policy
台榮產業資通安全管理政策如下 :
一、目的
為增進台榮產業股份有限公司(以下簡稱本公司)資通訊作業安全及穩定之運作,提供可信賴之資通訊服務,確保資訊資產之機密性、完整性及可用性,並順利推展台榮各項業務,以符合資通安全管理法及其子法之規範,特制定台榮產業股份有限公司資通安全政策(以下簡稱本政策)做為台榮資通安全管理最高指導方針。
二、範圍
本政策適用於本公司同仁、接觸台榮業務資訊或提供服務之廠商及第三方人員。
三、目標
(一)確保本公司業務相關資訊之機密性,保障公司機密與個人資料。
(二)確保本公司業務相關資訊之完整性及可用性,提高作業效能與品質。
(三)配合國家及本政策之推動,提昇資通安全防護能力。
(四)符合國家法令與本公司之規範,達成業務持續運作之目標。
四、策略
(一)應考量相關法律規章及營運要求,評估資通訊作業安全需求,建立相關程序,以確保資訊資產之機密性、完整性及可用性。
(二)建立本公司資通安全組織並訂定分工權責,俾利推行資通安全作業。
(三)依資通安全責任等級分級辦法之規定執行各項應辦事項。
(四)建立資通安全事件通報應變機制,以確保資安事件妥善回應、控制及處理。
(五)定期執行資通安全稽核作業,以確保資通安全管理落實執行。
五、審查
本政策由總經理核定,每年至少評估一次,或於組織有重大變更時(如組織調整、業務重大異動等)重新評估。依評估結果、相關法令、技術及業務等最新發展現況,予以適當修訂。修訂時亦須報總經理核定。
Tairoun Products Co., Ltd. Information Security Management Policy
1. Purpose
The purpose of formulating the Information Security Policy of Tai Rong Industrial Co., Ltd. (hereinafter referred to as "the Company") is to enhance the security and stability of information and communication operations, provide reliable information and communication services, ensure the confidentiality, integrity, and availability of information assets, and promote various business activities of Tai Rong smoothly. This policy is established as the highest guiding principle for information security management at Tai Rong in accordance with the regulations of the Information Security Management Act and its subsidiary laws.
2. Scope
This policy applies to the Company employees, vendors and third-party personnel who have access to business information or provide services to Tai Rong.
3. Objectives
- Ensure the confidentiality of business-related information, safeguarding company secrets and personal data.
- Ensure the integrity and availability of business-related information, enhancing operational efficiency and quality.
- Align with national and policy-driven initiatives to enhance information security capabilities.
- Comply with national laws and regulations as well as the company's standards to achieve the goal of continuous business operations.
4. Strategies
- Consider relevant legal regulations and operational requirements, assess the security needs of information and communication operations, establish related procedures to ensure the confidentiality, integrity, and availability of information assets.
- Establish the company's information security organization and define roles and responsibilities to facilitate the implementation of information security operations.
- Implement various mandatory tasks according to the classification of information security responsibilities.
- Establish an information security incident reporting and response mechanism to ensure proper response, control, and handling of security incidents.
- Conduct regular information security audits to ensure the effective implementation of information security management.
5. Review
This policy is approved by the General Manager and is reviewed at least annually, or when there are significant organizational changes (such as organizational restructuring, significant business changes, etc.). It is subject to appropriate revisions based on the evaluation results, relevant laws and regulations, technological advancements, and the latest developments in business. Any revisions must also be approved by the General Manager.
安全計畫
Security Plan
台榮產業依據資通安全管理法第10條及施行細則第66條訂定「台榮產業股份有限公司資通安全維護計畫」,計畫適用範圍涵蓋全公司,依據該計畫每年執行各項資工安全工作,包括防火牆維護、同仁上網控管機制、防毒作業、系統更新、資料備份、資通安全教育訓練、社交工程演練等各項工作,並將執行狀況定期向董事會報告,每年亦依據執行狀況檢討修正資通安全防護計畫,以其確保本公司各項資通安全之硬體、軟體及人員心態均維持在最佳狀態。
此外,資通安全計畫亦制定緊急狀況的通報程序,當資訊安全事件發生時,由資安人員通報主管,並依法規通報相關單位,本公司亦申請加入「台灣資安聯盟」,透過聯盟的協助,共同維護資通安全。
Tairoun Products Co., Ltd. has established the "Information Security Maintenance Plan" in accordance with Article 10 of the Information Security Management Act and Article 66 of the Enforcement Rules. The plan applies company-wide, and each year, various information security tasks are executed in accordance with the plan. These tasks include firewall maintenance, employee internet access control mechanisms, antivirus operations, system updates, data backups, information security education and training, social engineering drills, and other related activities. The execution status is regularly reported to the Board of Directors, and the information security protection plan is reviewed and amended annually based on the execution status. This ensures that the hardware, software, and personnel mindset related to various information security aspects of the company are maintained in optimal conditions.
In addition, the Information Security Plan also outlines emergency notification procedures. In the event of an information security incident, the IT security personnel report to their supervisors and, in compliance with regulations, report to relevant authorities. The company has also applied for membership in the "Taiwan Information Security Alliance." Through the assistance of the alliance, the company collaborates to uphold information security collectively.
執行情況
Execution
112年主要執行項目
1. 完成本公司資料異地及雲端備份作業。
2. 完成設置本公司雲端硬碟,使各項資料均可完整備份。
3. 完成本公司所有電腦更換及升級作業。
113年工作規劃
1. 本公司防火牆設備及軟體更新作業。
2. 本公司資通安全教育訓練。
3. 持續更新本公司個人電腦設備。
4. 重新規劃本公司資訊機房。
5. 檢討本公司網路設備及網路規劃。
6. 社交工程演練。
7. 取得ISO27001驗證。
In the year 2023:
1.Completed off-site and cloud backup operations for company data.
2.Set up the company's cloud drive to ensure complete backup of all data.
3.Completed the replacement and upgrade of all company computers.
Work Plan for the year 2024:
1.Update of the company’s firewall equipment and software.
2.Information security awareness training for employees.
3.Ongoing upgrades of the company’s personal computer equipment.
4.Replanning of the company’s IT/server room.
5.Review of the company’s network equipment and network architecture.
6.Social engineering drill.
7.Obtained ISO 27001 certification.
ISO27001
ISO27001
台榮產業股份有限公司重視客戶、員工及所有利益關係人的個人資料安全,為落實《個人資料保護法》並強化企業責任,我們已訂定並實施《個人資料保護政策》,明確規範個資蒐集、處理、利用與保管等作業流程,並以高度保密原則管理所有資料。
同時,公司亦訂有《台榮產業股份有限公司個人資料保護管理辦法》,作為全體員工遵循之依據。該管理辦法明定各項個資處理規範,並固定揭露於公司內部網站及公告區,確保所有同仁均可即時查閱、瞭解並依循辦理。所有新進同仁皆須於報到時簽署相關個資保密文件,強化資料保護意識與責任。
為推動資訊安全治理,公司建置資訊安全管理制度,並針對以下重點落實保護機制:
| 政策制定 | 台榮產業股份有限公司已制定《個人資料保護管理辦法》,依《個人資料保護法》明確定義個資的蒐集、處理、利用、管理及權益保障。 |
| 實施情形 | 新進同仁須簽署「資通安全保密同意書」及「個人資料保護同意書」,並公告於內部系統,落實內部遵循。 |
| 保護機制 | 建立告知義務、當事人權利行使流程、個資異動處理與紀錄、分類與權限控管、資訊安全事件應變處置等完善流程。 |
| 教育訓練與宣導 | 每年辦理資通安全教育訓練,2025年訓練總時數30小時。 |
| 制度揭露 | 公司已將個人資料保護政策公告於內部網站及公告平台,確保員工知情並可隨時查閱。 |
| 資料保存與刪除機制 | 離職後資料保留年限明確,並註明屆期主動銷毀,符合最小必要原則與資料生命週期管理精神。 |
Tairoun Industrial Co., Ltd. values the security of personal data belonging to customers, employees, and all stakeholders. To comply with the Personal Data Protection Act and strengthen corporate responsibility, we have established and implemented a Personal Data Protection Policy that clearly regulates the collection, processing, use, and storage of personal data, all managed under strict confidentiality principles.
In addition, the company has formulated the Tairoun Industrial Co., Ltd. Personal Data Protection Management Guidelines as a reference for all employees. These guidelines define specific data handling practices and are regularly disclosed on the company’s intranet and bulletin board, ensuring that all employees can access, understand, and comply with them. All new employees are also required to sign relevant confidentiality agreements upon onboarding to reinforce awareness and accountability for data protection.
To further promote information security governance, the company has established an information security management system and implemented protective mechanisms focusing on the following key areas:
| Category | Description |
| Policy Formulation | Tairoun Industrial Co., Ltd. has established the Personal Data Protection Management Guidelines, which define the collection, processing, use, management, and protection of personal data in accordance with the Personal Data Protection Act. |
| Implementation | All new employees are required to sign an Information Security and Confidentiality Agreement and a Personal Data Protection Consent Form, which are also disclosed on the internal system to ensure compliance. |
| Protection Mechanisms | Comprehensive mechanisms have been implemented, including notification obligations, data subject rights request procedures, personal data amendment handling and records, data classification and access control, and information security incident response. |
| Education & Awareness | Conduct annual information security education and training, with a total of 30 training hours scheduled for 2025. |
| Policy Disclosure | The company’s Personal Data Protection Policy is published on the internal website and bulletin platform, ensuring employees are informed and able to access it at any time. |
| Data Retention & Deletion | Data retention periods after employee departure are clearly defined, with data actively destroyed once the retention period expires, in line with the principle of data minimization and lifecycle management. |