Information Security

Information Security

 

Wistron is committed to promoting digital transformation and has introduced comprehensive information security management mechanisms to ensure the accuracy and availability of information processing and the security of related IT systems, equipment, and networks. Also, the Company regularly implements internal exercises and training for information security to increase employees' information security awareness and vigilance while ensuring customer and product information security. We ensure the information security of customers and products.

ISO 20000

IT Service Management System

In February 2018, Wistron obtained the information service management system international standard ISO/IEC 20000-1:2011 certification. The Company seeks excellent IT service management and internationally recognized IT management standards to ensure that our information technology infrastructure library (ITIL) operations meet the required the standards. Wistron completed the certification for the updated ISO 20000-1: 2018 in January 2021 and continues to optimize the IT service management system and related procedures to continue to strengthen data governance.The current certificate is valid until February 22, 2024

ISO/IEC 20000 changes the method for implementing internal IT services or outsourcing IT services. The benefits are as follows:

 

• Meet best-practice standards for international IT management
• IT services support the fulfillment of company goals
• Integrate personnel, processes, and technologies to support company goals
• Use control measures for evaluation and to maintain consistent service quality
• Compatibility between ISO/IEC 20000 and Information Technology Infrastructure Library (ITIL) supports continuous improvement

ISO 27001

Information Security Management System

Wistron obtained the information security management system international standard ISO／IEC 27001：2013 certification in August 2017 and implemented the “Plan-Do-Check-Act” (PDCA) cycle according to the standards. The Company conducts at least one internal self-audit and one audit by an impartial third party every year. To ensure the Company's implementation of ISO 27001 management mechanisms, the Company executes re-certifications every three years to maintain the validity of the ISO 27001 certification.The current certificate is valid until August 22, 2023.

• Regarding the critical infrastructure and the important information systems required for continuous operations, Wistron's headquarters (Neihu and Xizhi office areas), Hsinchu plant and all overseas manufacturing plants have successively obtained ISO/IEC 27001: 2013 verification. Also, we achieved the verification of ISO/IEC 27001: 2013 the international standard for information security management for all manufacturing plants in 2022 with a coverage rate of 100%.
•  In 2022, no material cybersecurity incidents occurred, nor has we received complaints regarding breach of customer privacy or loss of customer information

Information Security Policy and Organization

 

Wistron seeks to implement the requirements of the ISO 27001 Information Security Management System and focuses on the process and system, legal compliance, employee training, and use of technologies to strengthen the security and protection of data, information systems, equipment, and network communication. These measures effectively reduce the risks of theft, inappropriate use, leak, alteration, or damage of IT assets as a result of human error, sabotage, or natural disasters. They help us uphold our commitment to shareholders and customers and ensure the continuous operations of the Company.

Wistron established the Information Security Committee to supervise the Company's information security management system, technical standards, and maintenance operations. The President & CEO, Executive Vice President & Chief Infrastructure Officer, Chief Digital Officer and Chief Information Security Officer act as Co-chairpersons and they are responsible for fulfilling the Company's commitment to information security. The Vice President of IT acts as the management representative. The Information Security Governance Office was established and a supervisor is appointed as the executive secretary to organize information security matters. The Company established the "Information Security Policy" to protect the IT asset security of employees, customers, suppliers, and operations, ensuring corporate sustainable management

Information Security Policy

 

In order to protect the information of Wistron Co., Ltd. (hereinafter referred to as The Company) products and services, avoid unauthorized access, modification, use and disclosure, as well as losses caused by natural disasters, and provide complete and available information in a timely manner. The Company is committed to information security management to ensure the confidentiality, integrity and availability of the company's important information property, and comply with the requirements of relevant laws and regulations, thereby gaining the trust of customers, meeting the commitments to shareholders, and ensuring the company's important business continuous operation.

Information Security Committee Structure

The Information Security Committee convenes once per quarter. Extraordinary meetings may be convened when necessary and members of the teams must attend. The agenda of the meeting includes information security incident reports, the report of each team on the implementation of the team’s affairs, issues that require the cooperation of different units, other related suggestions, or extemporary motions.

Information Security Protection Strategy

 

Wistron utilizes the Cybersecurity Framework (CSF) stipulated by the National Institute of Standards and Technology (NIST). We evaluate the overall information security maturity and plan development blueprints for information security. We decide the priority of each matter and allocate resources accordingly, while continuously implementing improvement plans. The framework provides the 5 key functions of identification, protection, detection, adaptation, and recovery. The functions include management measures for every stage of an attack against the Company, that is, pre-incident (identification and protection), during the incident (detection), and post-incident (adaptation and recovery). In 2022, the scope of information security protection will include cloud security (including public and private clouds) and smart manufacturing technology (or OT, operating technology), and related information security standards will be introduced (e.g. IEC 62443) to strengthen overall information protection for work controls.

 

Information Security Operation Measures:

 

• Identify stakeholder groups associated with the information security management system and regularly verify the needs of stakeholder groups for the information security management system (including customers' demands for information security).
• Execute social engineering drills and information security training for employees to fully increase employees' information security awareness.
• Establish comprehensive and clear operating procedures to institutionalize the operations of the information security management system.
• Perform regular risk assessments to identify high risk items and invest appropriate resources to reduce or transfer risks.
• Use tools and technologies to achieve timely and effective identification, protection, detection, response, and recovery.
• Establish operating procedures for response and recovery in the event of information security anomalies with the aim of rapid isolation of information security incidents, elimination of threats, and reduction of the scope and extent of impact.
• Perform regular disaster recovery exercises for key applications to ensure their effectiveness.
• Perform regular annual internal and external audits each year to review the entire management system and ensure normal operation and continuous improvement.
• Continuously pay attention to new information security development and technologies and update defense or management practices to effectively block new forms of information security threats and reduce risks for operations.

Information Security Measures and Execution Results

 

Information Security Management and Audit Mechanisms

 

In order to protect the Company's intellectual property (including confidential information) and confidential customer information, Wistron started to conduct multiple self-evaluations and external third-party audits every year in 2017. The self-evaluations use NIST CSF and ISO/IEC 27001: 2013 standards. The external third-party audits use ISO/IEC 27001: 2013 standards and the information security regulations of customers. The aforementioned information security audit operations ensure the Company's implementation of information security regulations and continues to maintain the validity of ISO/IEC 27001 verification. In 2022, Wistron also strengthened the internal control mechanism to ensure the effective implementation and continuous improvement of cybersecurity measures in each plant. The self-examination of the maintenance and operation units, the audit of the cybersecurity management office and the Audit Office are included in the mechanism of the three lines of cybersecurity defense.
Wistron strengthens its Third Party Risk Management (TPRM) program. The classification and grading of suppliers is implemented throughout the supplier management life cycle from the perspectives of security, risk and privacy. This cycle includes the procurement phase (grade assessment, risk scores assessment, contracts), ongoing cooperation (, risk scores assessment and remediation), and finally termination of cooperation.
In 2022, a total of 224 suppliers were counted. Suppliers are graded based on factors such as the importance of the services they provide, direct access to confidential information, etc. There were 11 tier-1 suppliers, 13 tier-2 suppliers, and the rest were tier-3 suppliers. It also requires the tier-1 and tier-2 suppliers to meet the Wistron Cybersecurity Assessment Level based on individual cybersecurity guidelines.

Strengthen information security awareness among employees

 

To implement the concepts of information security in its employees, the Company provides e-Learning resources and executes social engineering exercises every six months to conduct phishing email simulations, reviews of employee information security awareness, and information security education and training. In addition, the Company publishes cybersecurity e-newsletter every month to enhance our employees' awareness and vigilance of cybersecurity. The content includes the latest cybersecurity trends and recent major cybersecurity events at home and abroad. If an employee commits a violation of the Information Security Policy, the Company imposes penalties in accordance with the "Implementation Guidelines for Employee Rewards and Penalties" and includes the results as the basis for performance management to reduce information security risks and the impact on the Company's operations.

 The phishing email click rates for social engineering drills conducted in the last 4 years on all company employees are as follows:

Measures	Goal	2019	2020	2021	2022
Execute social engineering drills every six months	The social engineering drill email click rate among employees was < 15%	H1：14.5% H2：12.9%	H1 : 10.6% H2 : 10.5%	H1 : 10.8% H2 : 10.7%	H1 : 9.3% H2 : 10.2%

• From 2021, the cybersecurity professional talent cultivation plan has been developed. Four roles are distinguished through manpower inventory, including cybersecurity governance, cybersecurity engineering, cybersecurity analysis, and software development security. Five levels of competency standards have been established, and capacity assessments are conducted every year. Therefore, the human capacity training and upgrading program is developed well. In 2022, a total of 115 people joined the cybersecurity talents training program to confirm the ability of cybersecurity talents to move forward with the times

 

• The training conducted for general employees through on-line or in-person lessons in 2022 mainly consisted of information security awareness training, information security lessons, and phishing email awareness and prevention. The Company completed 21,906 hours of employee information security training for 42,652 participants. There were 784 punishment records for violating cybersecurity regulations.

 

• In 2022, 1,005.5 hours of information security related seminars and training were completed by 228 cybersecurity personals. The course content mainly consisted of the annual Wistron information security seminar, ISO 27001 information security management system lead auditor training, EC-Council CEH (Certified Ethical Hacker) certification course, Trend TrendMicro Certified Security Expert (TCSE) certification course, CISA (Certified Information Systems Auditor) International Computer Auditor Certification Workshop, CISSP (Certified Information Systems Security Professional) Information Security System Expert Certification Course, CISM (Certified Information Security Manager) International Information Security Manager Certification Special Course, CCSP (Certified Cloud Security Professional ) cloud information security expert certification course, and information security updates and related technologies seminars organized by Gartner, Microsoft, and information security suppliers.

Vulnerability detection for networks and systems

 

Apart from monthly internal vulnerability scans, Wistron entrusts a third party professional organization to conduct network and system penetration tests each year to protect the corporate and personal information and prevent losses caused by leaks, theft, destruction, other human factors, or natural disasters. These tests reduce the impact of human factors or natural factors on the Company's operations. The purpose of the tests is to understand and evaluate the status of the organization network environment and system security and verify the current information security protection safety rating and effectiveness to resolve vulnerabilities, improve operations, and strengthen system security.

In 2021, the head offices introduced red team assessments. External information security teams simulated attacks on the Company and attempted to achieve the specified goals without affecting the Company’s operations. The company’s services were comprehensively reviewed and the Company’s network was examined for vulnerabilities and human errors in deployment. Moreover, we checked if the identification, protection, detection, and response mechanisms of the information security maintenance and response team were functioning smoothly.

In 2022, Wistron's average information security review score by third party evaluations was 92.27, which was higher than the average for international manufacturers. (Different assessment tools were used from November 2022)

Software Development Security

Wistron has introduced the DevSecOps (Development, Security and Operations) mechanism, and strengthened the collaboration among the development team, the maintenance and operation team and the cybersecurity team. The reasons for these actions are the early control of the security of the software development lifecycle (Software development lifecycle, SDLC), and the achievement of shift left (Shift Left) security to reduce the maintenance and operation cost of cybersecurity in the application systems. Meanwhile, Software Composition Analysis (SCA) technology is added to the development process to improve the security quality of the software.

Information security alerts and incident management

 

According to the information security incident management regulations, we can ensure the institutionalization and systemization of information security incident reporting, sorting, classification, handling, recording, and tracking. When an information security incident occurs, Wistron can quickly report and handle the situation. We are able to respond in the shortest possible time to ensure normal operations. Wistron has introduced Advanced Persistent Threat (APT) monitoring and Security Operation Center (SOC) operations.

Together with the resources of external information security experts, the information security operations and response teams can quickly grasp the information security alerts and incidents, strengthening and accelerating detection and response mechanisms.

Disaster recovery drills

 

In order to ensure the sustainable execution of operations and important matters, Wistron conducts at least one test or written drill every six months on information business operation continuity plan or cybersecurity incident emergency response plan to prevent the loss of service of important information systems during major disasters. We aim to utilize our disaster response capabilities and disaster recovery mechanisms to quickly restore our operations to normal or acceptable levels during key moments, in order to maintain key applications and systems and prevent operation interruption of the Company. Furthermore, backup management personnel of the IT center conducts recovery testing for selected backup storage mediums or recovery equipment at least once a year, in order to confirm the readability of the backup data, the usability of the storage medium, and the possibility of important asset recovery. We aim to create effective backups and recovery procedures that can be completed within the allocated time.
The global IT center also chose 30 backup storage mediums for 7 key functions' systems and database in 2022. Recovery testing was successfully completed for the backup data. The annual global computer center disaster recovery drills revealed that the maximum tolerable data loss time during disasters (Recovery Point Objective, RPO) is 0.9 hours. After a disaster occurs, the maximum tolerable information service recovery time (Recovery Time Objective, RTO) is 18.83 hours. The results of the drills in the last 4 years have met the Company's targets. The details of statistics can be found in the table below

• RPO: Recovery Point Objective (the maximum tolerable data loss time during disasters)
• RTO: Recovery Point Objective (the maximum tolerable information service recovery time after a disaster occurs)

Wistron also organizes cybersecurity accident response drills every year in addition to the disaster recovery drills for the information systems. Members of the cybersecurity committee are invited to actually simulate the cybersecurity events. Situational drills are carried out to ensure that the Company has sufficient cybersecurity protection and control mechanisms, emergency notification, and emergency response capabilities in case of hacker attacks. Thereby, the overall cybersecurity resilience is enhanced.

Purchased information security insurance to mitigate information security risks

 

Form 2021, Wistron purchased global information security insurance policies as a group. Apart from mitigating risks, we also hope to further receive the help and resources of external information security experts through the international insurance market. We provide preventative solutions to strengthen existing information security measures, in order to respond to growing information security threats and achieve the goals of corporate sustainable management.

Information security incidents in the most recent 4 years

No major information security incidents occurred between 2019 to 2022. Because no confidential information leaks affected the personal information of customers and employees, no fines were issued.