Information Security Management

Everlight Chemical recognizes information security as a crucial issue for sustainable corporate development. We established the “Information Security and Personal Data Management Committee” in 2016, and appointed a Chief Information Security Officer in 2023, responsible for guarding against external threats and internal management lapses.

Information Security Committee Organization

  • Responsible Units

    The “Information Security and Personal Data Management Committee” is chaired by the General Manager, with the head of the IT department serving as the executive secretary. Key managers from various departments are appointed as information security representatives, convening regularly for information security review meetings.

Specific Practices

In July 2019, the Information Security and Personal Data Management Committee decided to introduce external consultancy resources. In December of the same year, the “Information Security Management System Implementation and Verification Project” was launched; it successfully passed the ISO 27001 Information Security Management System certification in 2021.

External Threat Prevention Measures

  • Regular conduct vulnerability scanning, system updates, and social engineering attack drills to reduce hacker intrusions.
  • Use a firewalls to filter malicious websites and programs.
  • Use email filtering software to filter out email viruses and spam.
  • Update antivirus software to prevent infection from various viruses.
  • Conduct audits on software and hardware suppliers and sign a “Non-disclosure Agreement” with outsourcing vendor personnel.
  • Join the “Taiwan CERT/CSIRT Alliance” for sharing cybersecurity intelligence and coordinating responses to cybersecurity incidents.

Internal Management Tasks

  • Strengthen network security awareness and training.
  • Implement encryption systems for securing confidential documents to prevent data leakage.
  • Regular back up critical servers and sign contracts for backup services, along with annual disaster recovery drills.
  • Regular review privileged and general accounts to manage account control.
  • Set up system development and testing environments to minimize human errors.
  • External personnel must apply for access to internal network resources (WiFi).
  • Collect system logs to prevent unauthorized system access.
  • USB flash drives must be registered before they can be used on company computers.

Performance Outcomes in 2023

There were no information security incidents that affected the Company’s operations.

  • The “Information Security and Personal Data Management Committee” regularly holds meetings, and the head of the IT department reports the results of information security implementation to the board of directors annually. The most recent report was made on November 9, 2023.
  • The Company continued to maintain ISO 27001 information security management system certification in 2023.

Information Security and Personal Data Incident Reporting Process

According to the operational principles for handling information security and personal data incidents. If a major information security incident occurs, the Company will promptly follow the established procedures to address the incident and minimize the impacts.

1

Inform

  • Description
    – System automatic monitoring notification
    – Customer notification of abnormal events
    – Personnel inspection findings
    – Others

  • Based on Standards
    – Information Security and Personal Data Incident Management Procedures

  • Responsible person
    – Colleagues

2

Initial judgment of the problem

  • Description
    – Make preliminary judgments on abnormal problems
    – Notify the business leader

  • Based on Standards
    – Information Security and Personal Data Incident Management Procedures

  • Responsible person
    – Business Leader

3

Problem analysis

  • Description
    – Report the causes of incidents for information security and personal data
    – Determine the type, the level and the impact of the incidents for information security and personal data
    – Determine the time required to handle the incidents and whether to report it externally

  • Based on Standards
    – Information Security and Personal Information Incident Management Procedures
    – Business Continuity Plan

  • Responsible person
    – Business Leader
    – Risk Management and Assessment Team

4

Obstacle removal operations

  • Description
    – Start up obstacle removal operations
    – During system check, notification will be stopped if the system repairs itself
    – Exclusions can be made directly and cases can be closed according to the SOP
    – Initiate the business continuity plan
    – Assess whether external support is needed
    – Report the incidents of information security and personal data
    – Designate personnel to coordinate external response to incidents

  • Based on Standards
    – Information Security and Personal Information Incident Management Procedures
    – Business Continuity Plan

  • Responsible Person
    – Business Leader
    – Risk Management and Assessment Team

5

Service recovery operations

  • Description
    – Describe the status of obstacle removal operations
    – Consolidate the incidents of information security and personal data into reports
    – Carry out correction and improvement procedures, and deal with the incidents in the order of “correction-recovery-review” according to the affected area

  • Based on Standards
    – Information Security and Personal Data Incident Management Procedures

  • Responsible Person
    – Business Leader
    – Risk Management and Assessment Team

6

Close the case

  • Based on Standards
    – Information Security and Personal Data Incident Management Procedures

  • Responsible Person
    – Business Leader
    – Risk Management and Assessment Team