Information Security
Wistron is committed to promoting digital transformation and has introduced comprehensive information security management mechanisms to ensure the accuracy and availability of information processing and the security of related IT systems, equipment, and networks. Also, the Company regularly implements internal exercises and training for information security to increase employees' information security awareness and vigilance while ensuring customer and product information security. We ensure the information security of customers and products.
ISO 20000
IT Service Management System
In February 2018, Wistron obtained the information service management system international standard ISO/IEC 20000-1:2011 certification. The Company seeks excellent IT service management and internationally recognized IT management standards to ensure that our information technology infrastructure library (ITIL) operations meet the required the standards. Wistron completed the certification for the updated ISO 20000-1: 2018 in January 2021 and continues to optimize the IT service management system and related procedures to continue to strengthen data governance.The current certificate is valid until February 22, 2027.
ISO/IEC 20000 changes the method for implementing internal IT services or outsourcing IT services. The benefits are as follows:
- Meet best-practice standards for international IT management
- IT services support the fulfillment of company goals
- Integrate personnel, processes, and technologies to support company goals
- Use control measures for evaluation and to maintain consistent service quality
- Compatibility between ISO/IEC 20000 and Information Technology Infrastructure Library (ITIL) supports continuous improvement
ISO 27001
Information Security Management System
Wistron obtained the information security management system international standard ISO/IEC 27001:2013 certification in August 2017 and implemented the “Plan-Do-Check-Act” (PDCA) cycle according to the standards. The Company conducts at least one internal self-audit and one audit by an impartial third party every year. To ensure the Company's implementation of ISO 27001 management mechanisms, the Company executes re-certifications every three years to maintain the validity of the ISO 27001 certification.The current certificate is valid until Octorber 31, 2025.
- Regarding the critical infrastructure and the important information systems required for continuous operations, Wistron's headquarters (Neihu and Xizhi office areas), Hsinchu plant and all overseas manufacturing plants have successively obtained ISO/IEC 27001: 2013 verification. Also, we achieved the verification of ISO/IEC 27001: 2013 the international standard for information security management for all manufacturing plants in 2022 with a coverage rate of 100%.
- In 2023, there were no significant cybersecurity incidents reported, and no complaints were received regarding breaches of customer privacy or loss of customer data
Information Security Policy and Organization
Wistron seeks to implement the requirements of the ISO 27001 Information Security Management System and focuses on the process and system, legal compliance, employee training, and use of technologies to strengthen the security and protection of data, information systems, equipment, and network communication. These measures effectively reduce the risks of theft, inappropriate use, leak, alteration, or damage of IT assets as a result of human error, sabotage, or natural disasters. They help us uphold our commitment to shareholders and customers and ensure the continuous operations of the Company.
Wistron established the Information Security Committee to supervise the Company's information security management system, technical standards, and maintenance operations. The President & CEO, Executive Vice President & Chief Infrastructure Officer, Chief Digital Officer and Chief Information Security Officer act as Co-chairpersons and they are responsible for fulfilling the Company's commitment to information security. The Vice President of IT acts as the management representative. The Information Security Governance Office was established and a supervisor is appointed as the executive secretary to organize information security matters. The Company established the "Information Security Policy" to protect the IT asset security of employees, customers, suppliers, and operations, ensuring corporate sustainable management
Information Security Policy
In order to protect the information of Wistron Co., Ltd. (hereinafter referred to as The Company) products and services, avoid unauthorized access, modification, use and disclosure, as well as losses caused by natural disasters, and provide complete and available information in a timely manner. The Company is committed to information security management to ensure the confidentiality, integrity and availability of the company's important information property, and comply with the requirements of relevant laws and regulations, thereby gaining the trust of customers, meeting the commitments to shareholders, and ensuring the company's important business continuous operation.
Information Security Committee Structure
The Information Security Committee convenes once per quarter. Extraordinary meetings may be convened when necessary and members of the teams must attend. The agenda of the meeting includes information security incident reports, the report of each team on the implementation of the team’s affairs, issues that require the cooperation of different units, other related suggestions, or extemporary motions. A total of four meetings were held in 2023 and management representatives reported the information security implementation status to the Board in December.
Information Security Protection Strategy
For information security management, Wistron has gradually established a comprehensive network and defense in depth computer cybersecurity measures across personnel, process, and technology in response to changing environments, internally and externally. A dedicated cybersecurity organization was established to coordinate the formulation and the implementation of cybersecurity policies and related risk management. The internal cybersecurity measures have been continuously strengthened, and we have also joined cybersecurity information sharing organizations to obtain information on cybersecurity early warning and cybersecurity threats and weaknesses in addition to IT cybersecurity, operational technology cybersecurity, and cloud cybersecurity. Such organizations include High-Tech Cybersecurity Alliance, Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC). Meanwhile, we leverage external information security vendors and expert resources to ensure we are consistently updated on the latest cybersecurity information, technologies and trends. Our cybersecurity defense and management keep pace with changing times to improve our rapid response capabilities accordingly and ensure we can effectively block new types of cybersecurity threats. This can thus ensure resilient information services and reduced influence or impact on operations.
Wistron utilizes the Cybersecurity Framework (CSF) stipulated by the National Institute of Standards and Technology (NIST). We evaluate the overall information security maturity and plan development blueprints for information security. We decide the priority of each matter and allocate resources accordingly while making rolling adjustment to continuously strengthen and improve our systems. The framework provides the 5 key functions of identify, protect, detect, response, and recover. The functions include management measures for every stage of an attack against the Company, that is, pre-incident (identify and protect), during the incident (detect and response), and post-incident (recover).
In the future, information security is based on the Zero Trust Architecture (ZTA), which requires that every user, device, and application must undergo identity authentication and obtain authorization before accessing network systems or assets. The scope of cybersecurity protection will be further extended to cloud cybersecurity (including public cloud and private cloud) and operational technology (OT) cybersecurity. We will also introduce related cybersecurity standards and assessment models, such as Cybersecurity Capability Maturity Model (C2M2), CSA Consensus Assessments Initiative Questionnaire (CSA CAIQ), and ISO/IEC 62443. As such, we assure that our overall cloud cybersecurity and operational technology cybersecurity defense capabilities will be further strengthened in the future.
Information Security Operation Measures:
- Identify stakeholder groups associated with the information security management system and regularly verify the needs of stakeholder groups for the information security management system (including customers' demands for information security).
- Execute social engineering drills and information security training for employees to fully increase employees' information security awareness.
- Establish comprehensive and clear operating procedures to institutionalize the operations of the information security management system.
- Perform regular risk assessments to identify high risk items and invest appropriate resources to reduce or transfer risks.
- Use tools and technologies to achieve timely and effective identification, protection, detection, response, and recovery.
- Establish operating procedures for response and recovery in the event of information security anomalies with the aim of rapid isolation of information security incidents, elimination of threats, and reduction of the scope and extent of impact.
- Perform regular disaster recovery exercises for key applications to ensure their effectiveness.
- Perform regular annual internal and external audits each year to review the entire management system and ensure normal operation and continuous improvement.
- Continuously pay attention to new information security development and technologies and update defense or management practices to effectively block new forms of information security threats and reduce risks for operations.
Information Security Measures and Execution Results
Information Security Management and Audit Mechanisms
In order to protect the Company’s intellectual property (including confidential information) and confidential customer information, Wistron started to conduct multiple self-evaluations and external third-party audits every year since 2017. For self-evaluations, we comply with NIST CSF and ISO/IEC 27001: 2013 standards. For external third-party audits, we comply with ISO/IEC 27001: 2013 standards and the information security regulations of our customers. These information security audits ensure enforcement of information security regulations and maintain the validity of ISO/IEC 27001 verification.
Wistron continuously strengthens internal control mechanisms, including self-assessment by operational units, as well as the three lines of defense provided by the Information Security Governance Office and the Audit Office, ensuring all plants enforce and consistently seek to improve information security measures. In 2023, Wistron took home the Taiwan Corporate Sustainability Award (TCSA) Information Security Leadership Award, demonstrating Wistron’s exemplary role and leadership position in information security management acrossthe industry.
In 2023, Wistron launched the Vendor Risk Management (VRM) Program. Under the program, we classify suppliers and assess our vendor management life cycle from the perspectives of security, risk and privacy. The life cycle covers the procurement phase (tier assessment, risk score assessment, contract), ongoing third-party risk management (risk score assessment and remediation), and the eventual offboarding. A total of 183 vendors were assessed, and vendors were classified – into three tiers – based on the importance of the services they provide, their relevance to customers and revenue, and their ability to directly access Wistron’s network environment and confidential information. Tier 1 and Tier 2 vendors with higher risk levels are required to comply with Wistron’s information security assessment standards based on individual information security guidelines. Our risk score assessment identified six vendors that comply with Wistron’s information security standards.
Strengthen information security awareness among employees
To implement the concepts of information security in its employees, the Company provides e-Learning resources and executes social engineering exercises every six months to conduct phishing email simulations, reviews of employee information security awareness, and information security education and training. In addition, the Company publishes cybersecurity e-newsletter every month to enhance our employees' awareness and vigilance of cybersecurity. The content includes the latest cybersecurity trends and recent major cybersecurity events at home and abroad. If an employee commits a violation of the Information Security Policy, the Company imposes penalties in accordance with the "Implementation Guidelines for Employee Rewards and Penalties" and includes the results as the basis for performance management to reduce information security risks and the impact on the Company's operations.
- The phishing email click rates for social engineering drills conducted in the last 4 years on all company employees are as follows:
Measures |
Goal |
2020 |
2021 |
2022 |
2023 |
Execute social engineering drills every six months |
The social engineering drill email click rate among employees was < 15% |
H1:10.6%
H2:10.5%
|
H1 : 10.8%
H2 : 10.7%
|
H1 : 9.3%
H2 : 10.2%
|
H1 : 7.4%
H2 : 8.2% |
Since 2021, Wistron has implemented a Cybersecurity Professional Talent Cultivation Program (Technical Competency Model, TCM). This program involves human resource inventory to differentiate roles into cybersecurity governance,cybersecurity engineering, cybersecurity analysis, and software development security. Five levels of competency standards have been established, and annual capacity assessments are conducted, facilitating talent development and advancement plans. In 2023, a total of 95 individuals (including 28 dedicated information security personnel) participated in the Cybersecurity Talent Cultivation Program, ensuring that the skills of cybersecurity professionals remain up-to-date.
- To enhance the cybersecurity awareness of general employees, both online and in-person training sessions were conducted in 2023. These sessions primarily covered topics such as information security awareness training,information security lessons, and recognizing and preventing phishing emails. Throughout the year, a total of 40,296 employees completed 22,784 hours of information security training. Additionally, there were 46 recorded instances of disciplinary action for violations of information security regulations.
- In 2023, a total of 1,632 information security personnel participated in seminars and training sessions, accumulating 6,776 hours of training. The main training categories included six core professional courses for the information security team and five software development security courses for the software development team. The training curriculum covered various topics, including the annual Wistron information security seminar, ISO 27001 information security management system lead auditor training, EC-Council CEH (Certified Ethical Hacker) certification course, Trend Micro TCSE (Trend Certified Security Expert) certification course, as well as certifications such as CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and CCSP (Certified Cloud Security Professional). Additionally, information securityrelated technology seminars organized by Gartner, Microsoft, and other information security suppliers were also included in the training program.
Vulnerability detection for networks and systems
Apart from monthly internal vulnerability scans, Wistron entrusts a third party professional organization to conduct network and system penetration tests each year to protect the corporate and personal information and prevent losses caused by leaks, theft, destruction, other human factors, or natural disasters. These tests reduce the impact of human factors or natural factors on the Company's operations. The purpose of the tests is to understand and evaluate the status of the organization network environment and system security and verify the current information security protection safety rating and effectiveness to resolve vulnerabilities, improve operations, and strengthen system security.
Since 2021, we introduced red team drills, where external information security teams simulated attacks on the Company and attempted to achieve specified goals without affecting the Company’s operations. The red team drills allow us to comprehensively review our services and networks for any vulnerabilities and human errors in deployment. Moreover, we checked the integrity of identification, protection, detection, and response mechanisms from our information security maintenance and response team.
Software Development Security
In order to control the security of the software development lifecycle (SDLC) and achieve "shift left" security to thereby reduce the operational costs associated with application security and maintenance, Wistron has adopted the DevSecOps (Development, Security, and Operations) mechanism. This approach enhances collaboration among the development, operations, and information security teams. Additionally, Wistron has adopted the DevSecOps Maturity Model (DOSMM) from the non-profit organization OWASP (Open Web Application Security Project) to assess the overall maturity of software development practices. This ensures that the software released meets predefined information security maturity standards. Furthermore, the incorporation of Software Composition Analysis (SCA) technology into the development workflow enhances the security quality of the software.
Information security alerts and incident management
According to the information security incident management regulations, we can ensure the institutionalization and systemization of information security incident reporting, sorting, classification, handling, recording, and tracking. When an information security incident occurs, Wistron can quickly report and handle the situation. We are able to respond in the shortest possible time to ensure normal operations. Wistron has introduced Advanced Persistent Threat (APT) monitoring and Security Operation Center (SOC) operations.Together with the resources of external information security experts, the information security operations and response teams can quickly grasp the information security alerts and incidents, strengthening and accelerating detection and response mechanisms.
Disaster recovery drills
In order to ensure the sustainable execution of operations and important matters, Wistron conducts at least one test or written drill every six months on information business operation continuity plan or cybersecurity incident emergency response plan to prevent the loss of service of important information systems during major disasters. We aim to utilize our disaster response capabilities and disaster recovery mechanisms to quickly restore our operations to normal or acceptable levels during key moments, in order to maintain key applications and systems and prevent operation interruption of the Company. Furthermore, backup management personnel of the IT center conducts recovery testing for selected backup storage mediums or recovery equipment at least once a year, in order to confirm the readability of the backup data, the usability of the storage medium, and the possibility of important asset recovery. We aim to create effective backups and recovery procedures that can be completed within the allocated time.
The global IT center also chose 30 backup storage mediums for 7 key functions' systems and database in 2023. Recovery testing was successfully completed for the backup data. The annual global computer center disaster recovery drills revealed that the maximum tolerable data loss time during disasters (Recovery Point Objective, RPO) is 1.0 hours. After a disaster occurs, the maximum tolerable information service recovery time (Recovery Time Objective, RTO) is 22.11 hours. The results of the drills in the last 4 years have met the Company's targets. The details of statistics can be found in the table below:
Strategy |
Goal |
2020 |
2021 |
2022 |
2023 |
Disaster recovery simulations are conducted for key applications and systems every year to ensure continued operations and the uninterrupted provision of Company services. |
RPO of SC2
Services<=4 hours
RTO of SC2
Services<=24 hours |
RPO=0.5 hour
RTO=21.0 hours
|
RPO=0.8 hour
RTO=22.0 hours
|
RPO=0.9 hour
RTO=18.83 hours
|
RPO=1.0 hour
RTO=22.11 hours |
- RPO: Recovery Point Objective (the maximum tolerable data loss time during disasters)
- RTO: Recovery Point Objective (the maximum tolerable information service recovery time after a disaster occurs)
Wistron also organizes cybersecurity accident response drills every year in addition to the disaster recovery drills for the information systems. Members of the cybersecurity committee are invited to actually simulate the cybersecurity events. Situational drills are carried out to ensure that the Company has sufficient cybersecurity protection and control mechanisms, emergency notification, and emergency response capabilities in case of hacker attacks. Thereby, the overall cybersecurity resilience is enhanced.
Purchased information security insurance to mitigate information security risks
Form 2021, Wistron purchased global information security insurance policies as a group. Apart from mitigating risks, we also hope to further receive the help and resources of external information security experts through the international insurance market. We provide preventative solutions to strengthen existing information security measures, in order to respond to growing information security threats and achieve the goals of corporate sustainable management.
Information security incidents in the most recent 4 years
No major information security incidents occurred between 2020 to 2023. Because no confidential information leaks affected the personal information of customers and employees, no fines were issued.
Number of information security violations and fines/year |
2020 |
2021 |
2022 |
2023 |
Number of information security or network security violations |
0 |
0 |
0 |
0 |
Data leak incidents (number of cases) |
0 |
0 |
0 |
0 |
Number of information security violations that involve customer information |
0 |
0 |
0 |
0 |
Number of customers and employees affected by the data leak (number of people) |
0 |
0 |
0 |
0 |
Amount of fines for information security or network security related incidents (NTD) |
0 |
0 |
0 |
0 |