Information Security Management

Information Security Risk Management Framework

  • The unit responsible for information security management is the Information Department, consisting of a chief information officer and an information security engineer that are responsible for formulating information security policies and implementation plans, and promoting the implementation, review and improvement of operations. Present a quarterly report to the general manager on the current situation of the company’s information security management.
  • Oneness Biotech has set up a supervisory unit for information security management, with the authority and responsibilities associated with the chairman’s audit office, with a supervisor in charge and a professional auditor, responsible for identifying deficiencies in the implementation of the information security policy, and tracking the implementation of the improvement plan.

The Company’s information security policy consists of the following three policies:
(1) Formulate management regulations
     
It is used to standardize and regulate the code of conduct of colleagues.
(2) Information technology
     
Import advanced software and hardware to effectively prevent information security incidents.
(3) Advocacy and improvement
     
Enhance employee awareness of information security and strengthen self-protection awareness, and constantly revise the
     ever-changing information security implementation policies.

Specific information security management measures

Oneness Biotech’s specific management measures for information security are as follows:
(1) Formulate management regulations
The Company has formulated the following management regulations to ensure the implementation of information security: computer  software usage regulations, network firewall management regulations, information management regulations, computer information backup operation, emergency recovery regulations, website management regulations, file catalog inventory and encryption level management list, wireless network management regulations, guest network usage rules, system account password authority security rules, personnel resignation account processing procedures, employee non-disclosure agreement, etc.
(2) Information technology
In terms of information security protection, the Company focuses on strengthening multi-level protection of software and hardware, including account complexity and password verification, host and client antivirus, Internet behavior management/malicious website protection, firewall blocking, host data backup, data encryption, network IP management, etc.
(3) Advocacy and improvement
The Company conducts information security advocacy and education and training, and has also conducted a disaster drill. The audit office reports any incomplete improvement actions and tracking matters to the general manager.