In response to personal information protection and information security needs, Tatung established the Information Security and the Personal Information Protection Committee as early as 2014, passed the ISO 27001 information security management system verification, and ensured the security of the company's personnel, data, information systems, equipment and network in accordance with the requirements of the BS 10012 personal data protection standard. To ensure the safety of the company's personnel, data, information systems, equipment and network, establishing an information security policy as the highest guiding principle of the company's information security management system, achieving the goal of "uninterrupted service, no loss of information, personal information not leaked, and enterprise sustainable operation".
The implementation of the information security management system should be based on the PDCA process model, with a cyclical and gradual spirit to ensure the effectiveness and continuity of information business operations. The actual implementation method is based on precautions and risk reduction as the prerequisite. Through monthly information security meetings and emergency emergency meetings, review and countermeasures for new internal and external information security issues are reviewed and implemented in the annual plan. During the event, an information security and personal asset management review meeting hosted by the general manager is held in October each year to report on the implementation results this year and the information security budget plan for next year. The annual event includes an external audit consultant audit in the second half of the year. , Twice outsourced consultants and pre-external audit counseling, and an annual internal audit review by the Audit Committee to determine the implementation status of the information security management system and whether the confidentiality, integrity, and availability of various services have been achieved Information security goals set by compliance.
In addition, in response to changes in the social environment, laws and regulations, and technological advancement, Tatung has formulated a privacy protection statement. The collection, processing and use of customer data are in compliance with the "Personal Data Protection Law" and related laws and regulations. And properly protect the personal data of customers. The summary of key control measures is shown in Table 4.3-1. There are none in 2020. There have been complaints related to infringement of customer privacy or loss of customer information. In addition, in recent years, there are often fake official. In case of social account fraud, when Tatung learned of such information, he immediately posted it on the company’s official website and The Tatung community website announced warning messages to prevent consumers from being deceived.

▲ Organization of the Information Security and the Personal Information Protection Committee

The management system has passed ISO 27001 certification and complies with the BS 10012 personal data protection standard.
Management measures
  1. Customer/consumer service personnel who have access to private information are under strict regulation to avoid the loss of crucial personal data. Moreover, without the authorization of the supervisor, individuals have no right to contact customers or consumers privately to avoid infringement of privacy.
  2. Strengthen personnel safety awareness by regularly hold personal information and information security advocacy education training courses, implement tests after class in order to ensure that employees fully understand the importance of personal data and working practices.
  3. Strengthen the security control management of website information, introduce appropriate protection mechanisms, penetration test, source code inspection to prevent improper access to information on the regular basis, protecting the personal data of customers.

▲ Table 4.3-1 Key Asset Management and Control Measures