Information Security Risk Framework

Home»Corporate Governance»Risk Management»Information Security Risk Framework

Information security risk framework

  • i.Management framework of information security risk
  • Management framework of information security risk

  • ii.Management framework and management programs of information security risk
  • The Company has established an ISMS (Information Security Management System) to manage information security risk. The framework of our internal risk management organization layouts as following: the management information system department under general administration office is in charge of implementing information security management; the planning committee is led by senior vice president of general administration office and the chief of management information system department, while the risk management organization is formed by members implementing the information security program. Information security manager is established under the planning committee and the manager in charge of information security management under management information system department serves the role. The organization consists of information security system implementation team, information security technology implementation team, and information security audit team. The information security system implementation team is in charge of establishing and maintaining various information security management systems; the information security technology implementation team builds the information security system, including network management and system management; and the information security audit team performs information security audits in coordination with the internal and external audit teams. The information security risk management unit is a subunit of Proprietary Information Security (PIS), the unit reports information security status and review information security policies at the semiannual PIS meetings.
  • The establishment of our information security policy is in accordance with the ISMS certification standards. Risk management system is established for each information system and services. Risk assessment on information security and network risk is performed in accordance to risk assessment process. Risk control is implemented according to the influence level and incidence rate of risk. Corresponding management mechanism is implemented on high-risk systems based on assessment results, including the establishment of High Availability (HA) architecture that is highly reliable, data backup of transaction records, differential backup, and full back up, as well as the establishment of offsite server facilities for backup to ensure business continuity. We also set up dedicated lines to send backup data to offsite storage and perform system switch semiannually to ensure the backup mechanism is in normal operation and comply with the system restoration target.
  • The Company has also purchased information security insurance to cover all types of information security risks. Relevant procedures are established as reference for employees to handle and address the impact of major information security breach. We have set information security as a focus of our awareness training. Related courses and awareness training are held every year by PIS to raise the employee’s awareness on information security. Periodic audits on information security risk are performed to ensure the effective operation of our information security risk management mechanism.