Information Security Management

In order to strengthen the risk management of information security, we’ve established an information security executive team to conduct an information security risk management framework, formulated an information security policy and specific management plans, and every security policies have been reviewed regularly.

 

◎ Information security Risk Management Framework

- The information security enforcement team reviews information security management policies and related regulations regularly.

- All members of the unit are implemented in accordance with relevant regulations.

- Check servers and other equipment regularly during daily operations to discover problems immediately.

- Perform information security risk assessment and cooperate with the audit unit to ensure the integrity and effectiveness of the operation.

- In case of errors, loopholes and risks, immediate improvements are made to build a continuous improvement cycle for information security.

- The information security execution team reports implement status to the group general manager at least once a year.

 

◎ Information Security Policy

1. The Purpose

This policy is specially formulated in order to strengthen the risk management of information security and ensure the security of data, systems, equipment and networks.

 

2. Information security goals

Ensure the correctness, availability, integrity and confidentiality of the company's information security. Avoid the threat of internal and external cyber security incidents. In the event of an accident, it can also respond quickly and return to normal operation in the shortest time, reducing the damage caused by the accident.

 

3. Measurement of Information security
A. Establish an information security executive team to formulate information security policies and specific management plans.
B. Personal information should be classified in accordance with the Personal Data Protection Law.
C. Personal computers and servers need to set passwords, install anti-virus software, and update virus patterns regularly.
D. The relevant regulations on intellectual property rights should be observed, and private computer equipment should also be managed to ensure that all software installed is legally authorized.
E. Important data should be backed up and the validity of the backup data should be confirmed regularly.
F. Plan a Disaster Recovery Plan (DRP) to quickly restore system operation when an information security incident occurs.
G. Perform information security advocacy regularly to strengthen colleagues' awareness of information security and legal concepts.

 

4. Audit and revision

This policy is implemented after approval by the general manager of the group-company, and the same as revision.

 

◎ Information security specific management plan

NDB group considers that information security insurance is still a new type of insurance. The company's current information security risk management plan can effectively protect information security. Therefore, after evaluation by the information security executive team, it is not necessary to purchase information security insurance at this moment.

NDB group's specific information security management plan is distinguished by the time point of the information security incident, which can be divided into pre-prevention, daily operation maintenance, and trouble shooting. The specific management plan is as follows:

Category Description Content
Prevent External Invasion Install firewall and antivirus software

Set up a network firewall.

Install anti-virus software on the server and host computer.

The virus code of antivirus software is automatically updated.

Run anti-virus software scans every week.

Prevent data leakage Account and authority management

Personnel account review and management.

Regularly audit the system authority settings.

Daily operation maintenance Data backup and related inspection

Base on the nature of data to run data backup, heterogeneous backup and remote backup.

Perform data restoration tests regularly.

Perform server host inspection and system testing daily.

Regular computer inspections.

Information Security Incident Handling Disaster Recovery Plan (DRP)

Formulate a disaster recovery plan.

If there is no incident, the regular simulated training will be held.

Improvement action and result will be conducted after DRP.