UMC is well aware that Cyberattacks may not only expose the Company to the risks of data leakage and ransom threats, but also interrupt the production system, causing serious operating losses or even damaging the reputation of the Company. Facing the ever-changing and diverse external threats, it is critical to strengthen corporate information security. Correctly responding to the changing environment with limited resources is an important task.
Information Security Policy Implementation
1. To establish Information Security Management rules in accordance to customer requirements,
2. To reach a consensus that information security is everyone’s responsibility through full awareness,
3. To protect information confidentiality, integrity, and availability for the Company and customers, and
4. To provide a safe production environment to ensure sustainable operation of the Company’s business.
Information Security Committee Organization
“Enterprise Information Security Committee” is responsible for information security management system planning, establishing and maintenance. The Independent Board Director Jyuo-Min Shyu oversees information security and cyber security strategy. Mr. Shyu was the Minister of the Ministry of Science and Technology and the President of Cloud Computing & IoT Association in Taiwan, and led multiple information security projects such as National Information & Communication Security Taskforce as Vice Chairperson and IoT Information Security SIG (Special Interest Group) initiation.
The vice president of the Digital Function serves as the Chief Information Security Officer (CISO), who is responsible for establishing and maintaining the information security strategy and processes that protect information assets.
Countermeasures for Information Security Risks
1. Strengthen information security protection capability:
- Conduct information security system testing and implement patch regularly. We have business continuity plans in place and test them continually. Establish a network security incident contingency plan and take escalation and recovery actions.
2. Improve information security management procedures:
- UMC has complied with information security-related certifications such as ISO 15408, ISO 22301, and ISO 27001, and carried out continuous improvement through annual recertification.
3. Risk control:
- UMC has purchased information security insurance to transfer risks of information security threats, protecting the Company from cyberattacks and minimizing potential losses.
4. Education and training:
- Company-wide information security training and social engineering phishing tests are conducted to implant information security awareness in every employee.