Information Security Policy
Information security and confidential information protection are commitments of Phoenix Silicon International Corporation (PSI) to its customers, shareholders, and partners. PSI is dedicated to strengthening information security defense and management mechanisms by establishing the position of Chief Information Security Officer (CISO) and an Information Security responsible organization. We allocate professional manpower and resources to define information security policies, management procedures, and regulations. Furthermore, we have issued the "Information Security Declaration" to declare our determination to safeguard information security and promote the goal of information security - maintaining PSI's market competitiveness and safeguarding the interests of our customers and partners.
Information Security Declaration
As PSI continues to provide outstanding semiconductor manufacturing services, including wafer processing and wafer thinning, to global customers and establishes long-term mutually beneficial partnerships, we are committed to actively enhancing information security and confidential information protection mechanisms. This commitment aims to maintain PSI's market competitiveness and safeguard the interests of our customers and partners.
Information Security Governance
PSI has established an IT Security Committee and appointed Ms. Annie Chen, the Chief Legal Officer, as the Chief Information Security Officer (CISO) of PSI. The CISO is responsible for planning, monitoring, and managing information security policies and systems, and collaborates with its Information Technology and Information Security units, including but not limited to the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), to strengthen cybersecurity protection and management mechanisms.
Every years, the CISO reports information security risk management, global security risk trends, company information security policies, and the effectiveness of implementation to the IT Security Committee. Additionally, regular reports on information security supervision and risk control measures are presented during board meetings.
The Information Security Organization of Phoenix Silicon International Corporation (PSI)
IT Security Committee
PSI has established the "IT Security Committee," with the Chief Legal Officer serving as the Chief Information Security Officer (CISO). The committee includes the General Manager, Vice Presidents, and the Chief Information Officer as its members. Regular meetings are held every six months to review important information security policies, information security risk assessments and enhancement plans, information security indicators, and global information security trends and threats. The committee ensures the achievement of PSI's information security policies and management objectives.
Information Security Team
PSI established the "Information Security Team," with members from the Legal Affairs Department and the Information Department. The team holds regular monthly meetings to review and decide on important information security and data protection policies and execution plans. In 2024, at least 11 information security meetings were held to ensure the achievement of PSI's information security policy objectives.
Key Points of Information Security Management and Implementation
PSI established an information security management system (ISMS) and obtained ISO 27001:2022 international certification for information security management since October 2023 and has regularly undergone continuous evaluation audits. The scope of certification covers information security management activities related to the IT operation and maintenance of the MES, SAP and BPM information system and Data Center (INCLUDING HSINCHU & CHUNGKANG SITE).
PSI has joined the TWCERT/CC and the CISO Alliance to receive real-time cybersecurity intelligence and respond accordingly. In 2024, the company received 172 threat intelligence reports, all of which were confirmed and handled. The company has completed at least three hours of cybersecurity training for employees and related personnel, with 1,642 participants. Additionally, 12 cybersecurity awareness articles were published on the company’s internal portal and bulletin boards to highlight real-world cybersecurity cases and their importance.
PSI takes proactive measures to prevent and reduce external cybersecurity risks by implementing and continuously enhancing robust security measures. For instance, we have established advanced virus scanning tools to prevent information systems used in our facilities from virus infections. We have strengthened network firewalls and controls to limit the impact of computer viruses and prevent their spread across facilities. Anti-virus measures and advanced malicious software detection solutions are deployed on company computers, and we have improved security deployment time to enhance data center security. Additionally, we have established and regularly review security performance indicators, implemented new technologies for data protection, conducted social engineering drills to improve phishing email detection and developed training programs to raise employee cybersecurity awareness.. Furthermore, we have developed an integrated automated security operations platform to enhance security event detection and automate incident handling. Continuous drills for handling cybersecurity attacks are conducted, and we also engage external experts for security assessments.
Our annual cybersecurity implementation priorities include:
Network Security Management
Asset Management and Data Security
Access Control Management
Computer Operations Security Management
Operation Security Management
Information System Acquisition, Development, and Maintenance Management
Security Incident Management
Information Supplier Security Management
Personnel Security Management and Education Promotion
Change and Configuration Management
Cloud Service Security Management
Cybersecurity Incident Handling and Reporting
PSI has established an Emergency Response Team and an Information Security Incident Management Procedure, which outlines relevant processes and measures. These include the incident reporting procedure, the assignment of responsible personnel to handle significant cybersecurity incidents, assessment of damages incurred, and further necessary response measures. PSI also evaluates the potential impact of cybersecurity risks on the company's financials and operations and implements appropriate mitigation strategies.
Copyright (C) Phoenix Silicon International Corporation