Information Security
Wistron is committed to promoting digital transformation and has introduced comprehensive information security management mechanisms to ensure the accuracy and availability of information processing and the security of related IT systems, equipment, and networks. Also, the Company regularly implements internal exercises and training for information security to increase employees' information security awareness and vigilance while ensuring customer and product information security. We ensure the information security of customers and products.
ISO 20000
IT Service Management System
In February 2018, Wistron obtained the information service management system international standard ISO/IEC 20000-1:2011 certification. The Company seeks excellent IT service management and internationally recognized IT management standards to ensure that our information technology infrastructure library (ITIL) operations meet the required the standards. Wistron completed the certification for the updated ISO 20000-1: 2018 in January 2021 and continues to optimize the IT service management system and related procedures to continue to strengthen data governance.
ISO/IEC 20000 changes the method for implementing internal IT services or outsourcing IT services. The benefits are as follows:
- Meet best-practice standards for international IT management
- IT services support the fulfillment of company goals
- Integrate personnel, processes, and technologies to support company goals
- Use control measures for evaluation and to maintain consistent service quality
- Compatibility between ISO/IEC 20000 and Information Technology Infrastructure Library (ITIL) supports continuous improvement
ISO 27001
Information Security Management System
Wistron obtained the information security management system international standard ISO/IEC 27001:2013 certification in August 2017 and implemented the “Plan-Do-Check-Act” (PDCA) cycle according to the standards. The Company conducts at least one internal self-audit and one audit by an impartial third party every year. To ensure the Company's implementation of ISO 27001 management mechanisms, the Company executes re-certifications every three years to maintain the validity of the ISO 27001 certification.
- To ensure that IT operations and IT systems are adequately protected, Wistron head offices (Neihu and Xizhi Offices), Hsinchu Plant, Zhongshan Plant, Kunshan Plant, Kunshan Opt Plant, Taizhou Plant and Chengdu Plant have been certified with ISO/IEC 27001 information security international management standards certification, with a coverage rate of 72.7%.
- The certification scope will be expanded to include other manufacturing plants around the world in 2022. The expected coverage will reach 100%.
- The Company has not received complaints regarding breach of customer privacy or loss of customer information in 2021.
Information Security Policy and Organization
Wistron seeks to implement the requirements of the ISO 27001 Information Security Management System and focuses on the process and system, legal compliance, employee training, and use of technologies to strengthen the security and protection of data, information systems, equipment, and network communication. These measures effectively reduce the risks of theft, inappropriate use, leak, alteration, or damage of IT assets as a result of human error, sabotage, or natural disasters. They help us uphold our commitment to shareholders and customers and ensure the continuous operations of the Company.
Wistron established the Information Security Committee to supervise the Company’s information security management system, technical standards, and maintenance operations. The President, Chief Digital Officer and Chief Information Security Officer act as Co-chairpersons and are responsible for fulfilling the Company's commitment to information security. The Vice President of IT acts as the management representative. The Information Security Governance Office was established and a supervisor is appointed as the executive secretary to organize information security matters. The Company established the "Information Security Policy" to protect the IT asset security of employees, customers, suppliers, and operations, ensuring corporate sustainable management.
Information Security Policy
In order to protect the information of Wistron Co., Ltd. (hereinafter referred to as The Company) products and services, avoid unauthorized access, modification, use and disclosure, as well as losses caused by natural disasters, and provide complete and available information in a timely manner. The Company is committed to information security management to ensure the confidentiality, integrity and availability of the company's important information property, and comply with the requirements of relevant laws and regulations, thereby gaining the trust of customers, meeting the commitments to shareholders, and ensuring the company's important business continuous operation.
Information Security Committee Structure
The Information Security Committee convenes once per quarter. Extraordinary meetings may be convened when necessary and members of the teams must attend. The agenda of the meeting includes information security incident reports, the report of each team on the implementation of the team’s affairs, issues that require the cooperation of different units, other related suggestions, or extemporary motions.
Information Security Protection Strategy
Wistron utilizes the Cybersecurity Framework (CSF) stipulated by the National Institute of Standards and Technology (NIST). We evaluate the overall information security maturity and plan development blueprints for information security. We decide the priority of each matter and allocate resources accordingly, while continuously implementing improvement plans. The framework provides the 5 key functions of identification, protection, detection, adaptation, and recovery. The functions include management measures for every stage of an attack against the Company, that is, pre-incident (identification and protection), during the incident (detection), and post-incident (adaptation and recovery). In 2022, the scope of information security protection will include cloud security (including public and private clouds) and smart manufacturing technology (or OT, operating technology), and related information security standards will be introduced (e.g. IEC 62443) to strengthen overall information protection for work controls.
Information Security Operation Measures:
- Identify stakeholder groups associated with the information security management system and regularly verify the needs of stakeholder groups for the information security management system (including customers' demands for information security).
- Execute social engineering drills and information security training for employees to fully increase employees' information security awareness.
- Establish comprehensive and clear operating procedures to institutionalize the operations of the information security management system.
- Perform regular risk assessments to identify high risk items and invest appropriate resources to reduce or transfer risks.
- Use tools and technologies to achieve timely and effective identification, protection, detection, response, and recovery.
- Establish operating procedures for response and recovery in the event of information security anomalies with the aim of rapid isolation of information security incidents, elimination of threats, and reduction of the scope and extent of impact.
- Perform regular disaster recovery exercises for key applications to ensure their effectiveness.
- Perform regular annual internal and external audits each year to review the entire management system and ensure normal operation and continuous improvement.
- Continuously pay attention to new information security development and technologies and update defense or management practices to effectively block new forms of information security threats and reduce risks for operations.
Information Security Measures and Execution Results
Information Security Management and Audit Mechanisms
In order to protect the Company’s intellectual property (including confidential information) and confidential customer information, Wistron started to conduct multiple self-evaluations and external third-party audits every year in 2017. The self-evaluations use NIST CSF and ISO/IEC 27001:2013 standards. The external third-party audits use ISO/IEC 27001:2013 standards and the information security regulations of customers. The aforementioned information security audit operations ensure the Company’s implementation of information security regulations and continues to maintain the validity of ISO/IEC 27001 certification.
- The information security audit team training program was conducted in 2021. All 18 members of the team successfully obtained ISO 27001: 2013 Lead Auditor certification.
- Participation in the ISO/IEC 27001:2013 certification was planned for the Hsinchu Plant, Kunshan Plant, Kunshan Opt Plant, Taizhou Plant, and Chengdu Plant in 2021. The certification was obtained in January 2022. Along with the three sites in the Neihu and Hsichih office areas and the Zhongshan plant where continued validation of certification, the overall certification coverage 72.7%.
Strengthen information security awareness among employees
To implement the concepts of information security in its employees, the Company provides e-Learning resources and executes social engineering exercises every six months to conduct phishing email simulations, reviews of employee information security awareness, and information security education and training, and enhance the information security awareness and vigilance of each employee. If an employee commits a violation of the Information Security Policy, the Company imposes penalties in accordance with the "Implementation Guidelines for Employee Rewards and Penalties" and includes the results as the basis for performance management to reduce information security risks and the impact on the Company's operations.
- The phishing email click rates for social engineering drills conducted in the last 3 years on all company employees are as follows:
Measures |
Goal |
2019 Outcome |
2020 Outcome |
2021 Outcome |
Execute social engineering drills every six months |
The social engineering drill email click rate among employees was < 15% |
H1:14.5%
H2:12.9%
|
H1 : 10.6%
H2 : 10.5%
|
H1 : 10.8%
H2 : 10.7%
|
- The training conducted for general employees through online or in-person lessons in 2021 mainly consisted of information security awareness training, information security lessons, and phishing email awareness and prevention. The Company completed 20,314.42 hours of employee information security training for 75,219 participants.
- In 2021, 1,066.4 hours of information security related seminars and training were completed by 114 information security employees. The course content mainly consisted of the annual Wistron information security seminar, ISO 27001 information security management system lead auditor training, EC-Council Ethical Hacking and Countermeasures (CEH) certification course, Trend Micro Trend Certified Security Expert (TCSE) certification course, and information security updates and related technologies seminars organized by Gartner, Microsoft, and information security suppliers.
Vulnerability detection for networks and systems
Apart from monthly internal vulnerability scans, Wistron entrusts a third party professional organization to conduct network and system penetration tests each year to protect the corporate and personal information and prevent losses caused by leaks, theft, destruction, other human factors, or natural disasters. These tests reduce the impact of human factors or natural factors on the Company's operations. The purpose of the tests is to understand and evaluate the status of the organization network environment and system security and verify the current information security protection safety rating and effectiveness to resolve vulnerabilities, improve operations, and strengthen system security.
In 2021, the head offices introduced red team assessments. External information security teams simulated attacks on the Company and attempted to achieve the specified goals without affecting the Company’s operations. The company’s services were comprehensively reviewed and the Company’s network was examined for vulnerabilities and human errors in deployment. Moreover, we checked if the identification, protection, detection, and response mechanisms of the information security maintenance and response team were functioning smoothly. In 2021, Wistron’s average information security review score by third party evaluations was 92.75, which was higher than the average for international manufacturers.
Average score of manufacturers
Wistron's average score:
92.75
Average score of manufacturers:
85.25
Information security alerts and incident management
According to the information security incident management regulations, we can ensure the institutionalization and systemization of information security incident reporting, sorting, classification, handling, recording, and tracking. When an information security incident occurs, Wistron can quickly report and handle the situation. We are able to respond in the shortest possible time to ensure normal operations. Wistron has introduced Advanced Persistent Threat (APT) monitoring and Security Operation Center (SOC) operations.
Together with the resources of external information security experts, the information security operations and response teams can quickly grasp the information security alerts and incidents, strengthening and accelerating detection and response mechanisms.
Disaster recovery drills
In order to ensure the sustainable execution of operations and important matters, Wistron conduct annual disaster recovery drills to prevent the loss of service of important information systems during major disasters. We aim to utilize our disaster response capabilities and disaster recovery mechanisms to quickly restore our operations to normal or acceptable levels during key moments, in order to maintain key applications and systems and prevent operation interruption of the Company. Furthermore, backup management personnel of the IT center conducts recovery testing for selected backup storage mediums or recovery equipment at least once a year, in order to confirm the readability of the backup data, the usability of the storage medium, and the possibility of important asset recovery. We aim to create effective backups and recovery procedures that can be completed within the allocated time.
In 2021, the IT center also chose 25 backup storage mediums for 6 major functions and systems. Recovery testing was successfully completed for the backup data. The results of the Disaster Recovery drills in 2021 revealed that the maximum tolerable data loss time during disasters (RPO: Recovery Point Objective) is 0.8 hours. After a disaster occurs, the maximum tolerable information service recovery time (RTO: Recovery Time Objective) is 22 hours. The results of the drills in the last 3 years have met the Company’s targets. The details can be found in the table below.
Strategy |
Goal |
2019 Outcome |
2020 Outcome |
2021 Outcome |
Disaster recovery simulations are conducted for key applications and systems every year to ensure continued operations and the uninterrupted provision of Company services. |
RPO of SC2
Services<=4 hours
RTO of SC2
Services<=24 hours |
RPO=0.9 hour
RTO=19.95 hours
|
RPO=0.5 hour
RTO=21.0 hours
|
RPO=0.8 hour
RTO=22.0 hours
|
- RPO: Recovery Point Objective (the maximum tolerable data loss time during disasters)
- RTO: Recovery Point Objective (the maximum tolerable information service recovery time after a disaster occurs)
Purchased information security insurance to mitigate information security risks
In 2021, Wistron purchased global information security insurance policies as a group. Apart from mitigating risks, we also hope to further receive the help and resources of external information security experts through the international insurance market. We provide preventative solutions to strengthen existing information security measures, in order to respond to growing information security threats and achieve the goals of corporate sustainable management.
Information security incidents in the most recent 4 years
No major information security incidents occurred between 2018 to 2021. Because no confidential information leaks affected the personal information of customers and employees, no fines were issued.
Number of information security violations and fines/year |
2018 |
2019 |
2020 |
2021 |
Number of information security or network security violations |
0 |
0 |
0 |
0 |
Data leak incidents (number of cases) |
0 |
0 |
0 |
0 |
Number of information security violations that involve customer information |
0 |
0 |
0 |
0 |
Number of customers and employees affected by the data leak (number of people) |
0 |
0 |
0 |
0 |
Amount of fines for information security or network security related incidents (NTD) |
0 |
0 |
0 |
0 |