Management Guidelines for Major Topics
Information Security Management
| Materiality | |
|---|---|
| Materiality | With the continuous threat of cyber attacks, information security has become one of the primary risks for global business operations. ESG rating agencies, including the Dow Jones Sustainability Index (DJSI), have incorporated information security management as a crucial criterion in their assessments. IT has obviously become a topic that needs to be taken seriously by enterprises. Advantech is a global IoT leader. Information security issues involves a company’s operational stability, product security, privacy and other aspects. Regarding Advantech's brand value, it is extremely important to stakeholders such as employees, customers, and investors. |
| Management Strategy | |
| Management Strategy |
|
| Policy or commitment | |
| Policy or commitment | The Company's business continuity is guaranteed. Risks are effectively reduced, such as the theft, improper use, leakage or destruction of information assets caused by human error, hacker attacks or natural disasters. In this way, the interests of shareholders and customers are guaranteed. |
| Description of impact | |
| Description of impact | The topic of Advantech's information security management has not caused any negative impact on the Company, customers, environment, economy, or society in 2022. During this period, the Company had a total of 1 information security incident (Please refer to Chapter 2 - 2.2 Information security management). Advantech will continue to improve the quality of information security management. Therefore, it avoids negative impact on production or operation activities or related compensation to customers, suppliers, and employees if their personal information is stolen in the future. |
| 2022 Achievement Status | |
| 2022 Achievement Status |
|
| 2023 Goals | |
| 2023 Goals |
|
| 2025 Goals | |
| 2025 Goals |
|
| Action Plan | |
| Action Plan |
|
| Evaluation of effectiveness | |
| Evaluation of effectiveness | Semi-annual Cyber Security Review Meeting and information security governance group meetings are held. The annual information security goals and the progress of the implementation of material information security projects are continuously tracked |
| Stakeholder Engagement | |
| Stakeholder Engagement | Please refer to Chapter 2 - 2.2 Information security management improvement plans. |
Information Security Policy and Organization
Information security forms an integral part of business operations and risk management. The implementation of information security requires management's awareness and adequate support. Advantech's President approves the information security policy and sets information security goals. Also, the confidentiality, integrity and availability of key systems and important equipment are considered. Moreover, each indicator item is regularly measured and reviewed at least once a year to ensure the effectiveness of the implementation of performance indicators.
Advantech's President Eric Chen, concurrently served as Chief Information Security Officer in order to demonstrate the Company's commitment to information security. Also, a cross-departmental information security governance group was established. The Quality Control and Information Security Team is responsible for promoting and coordinating information security-oriented issues, including computer information, physical environment, product information security, supply chain and regulatory compliance, etc. Also, the implementation status is reported regularly to the Risk Management Committee. Information security is integrated into the organization's operation management.
Organization Structure of Information Security Team
Advantech has obtained the certification of "Information Security Management System (ISMS) ISO/IEC 27001:2013". External verification units conduct an annual audit. The three-year re-examination is completed in July 2022, and the certificate continues to be valid. It is originally applicable to manufacturing-related information security management activities provided by MTD Engineering Department and IT Information Department, including embedded computer products, industrial-grade flat computer products, industrial-grade computer products, network computer products, medical computer platform products and industrial control products. Besides, it expanded the scope of application in 2022 to the management of the computer room of the information department of the head office and the backbone network. In the same year, Advantech's information operations in Europe and the United States also passed the ISO/IEC 27001:2013 certification.
Advantech continues to improve and expand the scope of application of the information security management system. The standardization of the system is established in four aspects: strategy, management, technology and cognition. The depth and breadth of information security governance have been continuously improved. The rapid changes in the business are effectively responded through the refinement of the system. The verification results of ISO/IEC 27001 in the past three years are as follows.
Countries and industries widely adopt the concepts, methods and models in IEC 62443 when formulating policies. In order to ensure the safety of industrial automation and control systems (Industrial Automation and Control System, IACS). IEC 62443-4-1 and IEC 62443-4-2 thereof represent that the components of the system meet the safety requirements. Products are guaranteed to comply with safety regulations from the development stage to the mass production stage, whether it is process or product verification. In 2022, the company invites information security vendors to review the operation of the RMA product maintenance department with IEC 62443-4-2. Also, the found results are reviewed and improved in order to reduce possible information security risks.
Information Security Protection Mechanism and Detection
In terms of security protection measures, Advantech adopts a multi-level defense-in-depth architecture. Protection mechanisms such as firewalls, antivirus, endpoint protection, privileged account management, and two-factor authentication have been deployed. In addition, high-quality information security vendors were commissioned to conduct multiple inspections and evaluations, including system vulnerability scanning, penetration testing, and website security. The effectiveness of the current information security defense mechanism is examined. Security loopholes and weaknesses are discovered and patched. In this way, potential information security risks are reduced. This year, Advantech also held red team drill for cyber attack. On the premise of not affecting the operation, information security vendors were commissioned to verify the effectiveness of the plant's information security protection mechanism to simulate hacker attacks. Meanwhile, the information security awareness of IT personnel is improved. In addition, relevant knowledge and skills are enhanced through drills to understand hacker attack methods and coping methods. Moreover, the confidence of customers and cooperative manufacturers in the company is strengthened, and the Company's emphasis on information security is demonstrated through practical drills.
Information Security Intelligence and Event Monitoring
To strengthen internal endpoint and network security monitoring, Advantech has introduced the MDR threat detection and response service. The weaknesses and abnormal conditions of more than 8,700 computers and mainframes in the Company are continuously monitored 24/7. Professional information security vendors combine global threat intelligence with AI technology. Information security event alarm monitoring, threat tracking, incident investigation, repair plan, regular report, and 24/7 monitoring are provided. It assists the Company to accurately and quickly determine the infection path of malicious behaviors when facing information security incidents. Correct actions are then taken to enhance and speed up the detection and response mechanisms.
Enhancement of Information Security Awareness of Personnel
Personnel security awareness is an extremely important part of information security protection. The Company has incorporated information security publicity courses into annual compulsory courses. It is conducted for general employees through online courses or face-to-face. The main content of the course is case sharing of information security, basic principles of information security, information security regulations that employees should abide by, etc. In 2022, the Company, including overseas RBUs, completed information security publicity courses for 6,825 employees.
| Item | Direct Labor | Indirect Labor |
|---|---|---|
| Completion rate of employee information security publicity in 2022 | 100% | 91% |
| Item |
|---|
| Completion rate of employee information security publicity in 2022 |
| Direct Labor |
| 100% |
| Indirect Labor |
| 91% |
In addition, social engineering drills that simulate hackers' phishing emails can test our employees' awareness of information security risks. Our colleagues' awareness and vigilance of information security are enhanced. In 2022, the rate of employees passing the test has increased significantly compared to the test results in 2021.
| Item | 2021 | 2022 |
|---|---|---|
| Percentage of Employees Passing Social Engineering Tests | 61.5% | 79% |
| Item |
|---|
| Percentage of Employees Passing Social Engineering Tests |
| 2021 |
| 61.5% |
| 2022 |
| 79% |
System Redundancy and Disaster Recovery
Critical information systems need to be protected from service interruptions due to major catastrophic events. The continuity of company operations and essential business needs to be ensured. Therefore, Advantech has established a system remote backup mechanism at the Linkou factory in 2022. Neihu computer room and Linkou are mutually backed up in different places and data backup in different places is established through the Nutanix virtual mechanism. The Company's key information systems are guaranteed to quickly return to normal or acceptable operating levels after a disaster. In this way, the Company's operations are guaranteed to be uninterrupted. For the maintenance of data availability, Advantech promoted a 3-2-1 data backup mechanism at its headquarters and overseas RBUs in 2022. Important system data is taken for backup as follows:
- At least 3 data backups: when the original file is damaged or lost, the file can be restored.
- Stored in 2 different storage media: Different types of hazards are prevented using complementary advantages and disadvantages of the different storage media.
- At least 1 off-site backup: The risk of all stored devices being destroyed or stolen at the same time is reduced in case of any natural disaster, fire, theft, etc.
In addition, the Information Office conducts disaster recovery drills targeting critical Information systems at least once a year Taking the PLM system as an example, the data in 2022 was drilled and backed up with snapshots. Before and after restoring the backup, all the current data in the DB are first exported to confirm that the data of the drill result is not damaged. After Linkou's off-site backup mechanism which is going to be completed in 2023, a rehearsal for the complete transfer of control over Neihu-Linkou PLM DR will be conducted.
Information Security Investment
Advantech continues to invest in resources related to information security. In 2021 and 2022, more than NT$30 million was invested in information security software and hardware. In addition to human resources, investment in information security includes strengthening defense equipment for information security, intelligence monitoring and analysis, system backup, education and training, etc. Therefore, the information security capability has been comprehensively improved and the information security protection has been improved.
Improvement Plans
In 2022, the Company did not cause losses to the Company and customers due to information security incidents. During the period, the Company had a total of 1 information security incident * . It affects the Company's information of a small number of employees, such as names, departments, and email accounts, which are exposed in search engines. The main reason is that after the personnel analyzed the cause of the incident. All improvements have been completed in addition to the emergency response handling in the gap verification mechanism in the development program.
List of Information Security Events
| Types of Informational Security Incidents | Number of incidents | Improvement method | Improvement results |
|---|---|---|---|
| Human error | 1 | The website program was immediately modified to add an authentication mechanism. After testing, this security hole was confirmed to be improved. | In response to this incident, program development safety procedures have been strengthened to publicize and check. Therefore, similar incidents have not occurred again |
| Types of Informational Security Incidents |
|---|
| Human error |
| Number of incidents |
| 1 |
| Improvement method |
| The website program was immediately modified to add an authentication mechanism. After testing, this security hole was confirmed to be improved. |
| Improvement results |
| In response to this incident, program development safety procedures have been strengthened to publicize and check. Therefore, similar incidents have not occurred again |
Information security breaches: These are defined as unauthorized access to computer data, applications, networks, devices, protected systems and data. Cybercriminals or malicious applications bypass security mechanisms to reach restricted areas.
Protection of Customer's Privacy Right
In order to allow everyone to use Advantech's various services with peace of mind, Advantech has formulated a privacy protection policy. It complies with Personal Data Protection Act and the General Data Protection Regulation (GDPR). It has explained how to collect and use personal data, and further protects related rights and interests. In 2022, PwC Taiwan was entrusted to conduct a compliance assessment of personal data protection. After that, the personal data protection team was formally established, which is expected to further establish more detailed internal procedural rules for personal data protection.
Structure of Personal Data Protection Team
Advantech's privacy policy covers the following: Advantech's privacy policy covers, but is not limited to, employees, customers, suppliers, and any third parties who use other services on the website. Please click on the link to view the related policy.