Category: Information Security

In order to ensure the confidentiality, integrity and availability of WT’s information assets, to comply with the requirements of relevant laws and regulations, to protect them from internal and external deliberate or accidental threats, and to meet business needs, information security policies have been formulated as a basis for compliance to effectively and reasonably mitigate operational risks. The policies are applicable to WT and its affiliates, subsidiaries that are 100% directly or indirectly owned, controlled by WT, subsidiaries that sell or provide services for the Group, all personnel of the mentioned organizations, outsourcing service providers, student workers, and visitors, etc. In addition, information security clauses have been added to external contracts.

According to the 2023 World Economic Forum (WEF) Global Risk Report, “Widespread cybercrime and cyber insecurity” is ranked as the 8th risk within 2 years and 10 years. With increasingly complex cyber espionage or cyber crimes, such as loss of privacy, data fraud or data theft, compromised information security protection may lead to data leakage and blackmail risks, and even core system disruptions, causing serious business losses and damaged goodwill.

In view of the growing importance of information security and increasingly rampant cyber attacks, WT’s Information Security Department is headed by Chief Information Security Officer at the level of deputy general manage. The Department, composed of one dedicated director and two dedicated personnel, is responsible for information security risk management, incident investigation, system vulnerabilities disclosure, and information security system evaluation and introduction, etc. Following the establishment of the Sustainable Development Committee, information security management strategies and results will also be presented to the Sustainability Development Committee before being submitted to the Board. There were no major information security incidents involving sensitive information leakage or information service disruption in 2023, and no financial losses were caused to customers or suppliers due to the information security incidents.

Information security certificates are used as a mechanism to check and continuously improve information security professional capabilities. In 2023, a total of six international certificates in information security governance, information security management and auditing were obtained, including CEH Master, CISA, and ISO 27001 Lead Auditor. In addition, WT has joined joint information security defense organizations such as Taiwan CERT/CSIRT Alliance and Taiwan Chief Information Security Officer Alliance to strengthen the joint information security defense system by identifying relevant information security trends and sharing threat intelligence. At a meeting of the Taiwan Chief Information Security Officer Alliance in 2023, WT shared its supply chain security practices, explaining how to help vendors improve their information security capabilities and strengthen overall supply chain security protection.

Regular refresher training to raise employee safety awareness

While conventional information security protection boundaries are no longer effective, employee security awareness has become an important part of information security management. From 2021, randomly selected phishing templates are sent out every month for social engineering exercises. For employees who click on phishing emails, there is a system in place to require refresher training, notify their direct supervisors, and keep track of the training results, in order to reduce information security threats caused by employees lacking information security awareness.

 

Implementing information security management system to upgrade corporate information security resilience

Based on ISO 27001 and NIST CSF, WT introduced and strengthened its security control measures, constantly evaluates its information security protection mechanism from point, line and plane, and develops different technical combinations. It also adopts defense-in-depth approach and security-by-design principles to further strengthen multi-layer security in eight aspects, which are management, data, endpoint, application, network, third-party supply, business continuity and emergency response, intelligence integration and joint defense, so as to reduce impact of information security risks to acceptable levels and continuously monitor residual risks. In addition, ISO 27001 verification and red team exercises were performed by third-party institutes to verify the effectiveness of management mechanisms and system security protection, and strengthen information security resilience. WT is ISO/IEC 27001:2013 and CNS 27001:2014 verified via TCIC, with certificates valid until 2025. The information security measures it took in 2023 with regard to the five NIST CSF core functions were as follows:

Five major measures to improve information security control and network protection

WT adopts defense-in-depth approach, security-by-design principles, and continuous threat exposure management (CTEM) concept to identify assets that are vulnerable to attack paths. WT manages risks to reduce the probability and impact of threats. Its information security control measures in 2023 include :

Response to customers’ information security concerns

WT relies heavily on information systems and online transactions to conduct business with its upstream and downstream partners. WT regularly returns information security self-assessment questionnaires to customers and vendors, and communicates with them on specific information security issues from time to time. In addition, to meet customer requirements, a third-party information security service provider is commissioned by a customer to perform host vulnerability scanning and penetration testing to ensure supply chain information security.

Business continuity and emergency response

24/7 information security monitoring

WT has a dedicated information security mailbox to receive information security notifications from external sources to inform internal security improvement.

Regular information security incident exercises to ensure recovery in the shortest possible time

To enhance corporate resilience and maintain high availability of the information system, tests and exercises are conducted at least once a year according to the business continuity plan of the information security management system. The exercise involves a simulated incident in the main system, switch of the main data center operation to offsite, detailed record of the exercise and results, and subsequent review and follow-up of continuous improvement.

In 2023, the number of unexpected power outages decreased by 25% relative to 2022. Nevertheless, WT continued to conduct a power supply abnormality exercise to ensure that emergency generators can be activated immediately and normal operation of the facilities and systems can be maintained. The exercise proved that the emergency response procedures were appropriate and all the facilities and systems were in normal operation.

Setting up information security notification system for hierarchical management and rapid response

WT has security incident management procedures in place, which classify information security incidents into four levels and specify notification procedures accordingly. The individual who spots an information security incident reports it to IT or information security personnel who then determines whether it is an incident and its level before forwarding accordingly. A critical incident will be immediately reported to the Chief Information Security Officer, who will pass it on to the General Manager for emergency response.

The information department must remove and resolve information security incidents within the target time, and conduct reviews and improvement measures after the incident is concluded to prevent its recurrence. If the assessment of the incident cause and impact find that the incident was caused by an employee’s behavior, he or she will be punished in acordance with the work rules.

 

A total of four information security incidents occurred in 2023, all of which were non-critical. Three of them involved leaked passwords, which were all responded to and handled immediately and caused no impact; and the other involved an external network anomaly experienced by WT’s network service provider, and the traffic was instantly redirected to the backup route. No core services, confidential or sensitive data, or confidential information related to transactions with customers or vendors were leaked in these incidents.

 

In view of the growing importance of information security and increasingly rampant cyber attacks‭, ‬WT set up a dedicated Information Security Department and installed a Chief Information Security Officer at the level of deputy general manager in 2022‭. ‬The Department‭, ‬composed of one dedicated director and two dedicated personnel‭, ‬is responsible for information security incident investigations‭, ‬system vulnerabilities disclosure‭, ‬and new information security architecture evaluation and introduction‭, ‬etc‭. ‬The main tasks that have been completed are as follows‭:‬

1. The ISO/IEC 27001:2013‭ ‬and CNS 27001:2014‭ ‬verifications were obtained in 2022‭ (‬valid until October 31‭, ‬2025‭), ‬and the threats and impacts posed by information security incidents were reduced through standardized and systematic control and management‭;‬
2. A dedicated information security mailbox was set up to receive external information security notifications from customers‭, ‬suppliers‭, ‬integrated cyber threat intelligence providers‭, ‬information equipment suppliers‭, ‬service providers‭, ‬etc‭.‬
3. A dedicated person was appointed to collect‭, ‬analyze and keep record of information on important information security news‭, ‬vulnerability releases‭, ‬zero-day attacks‭, ‬and vulnerability utilization trends‭, ‬and rate incidents for severity‭. ‬Incident severity levels have been internally defined‭. ‬The contact person in the information division keeps record of incidents‭, ‬and‭, ‬in the case of a major information security incident‭, ‬immediately notify the Chief Information Security Officer‭. ‬The Information Security Department must verify‭, ‬eliminate and resolve the information security incident within the target processing time‭. ‬After the handling is completed‭, ‬the Incident Response team‭ (‬IR team‭) ‬must conduct root cause analysis‭, ‬track and record the implementation effectiveness of corrective measures‭, ‬so as to continuously improve the intervention methods and prevent recurrence of similar incidents‭. ‬In addition‭, ‬information security incidents have been divided into four severity levels‭, ‬and their response mechanisms and‭ ‬standard operating procedures are formulated respectively to speed up the recovery time of information system services‭.‬

Information Security Management and Protection

Software‭, ‬hardware and network protection and monitoring

WT has a dedicated information security mailbox to receive external information security notifications from customers‭, ‬suppliers‭, ‬Taiwan Computer Emergency Response Team‭ (‬TWCERT‭), ‬information equipment suppliers‭, ‬service providers‭, ‬etc‭. ‬A dedicated person‭ ‬is also appointed to collect‭, ‬analyze and keep record of information on important information security news‭, ‬vulnerability releases‭, ‬zero-day attacks‭, ‬etc‭. ‬and rate incidents for severity‭. ‬Incident severity levels have been internally defined‭. ‬The contact‭ ‬person in the information division keeps a record of incidents‭, ‬and‭, ‬in the case of a major information security incident‭, ‬immediately notify the Chief Information Security Officer‭. ‬The Information Security Department must eliminate and resolve the information security incident within the target processing time‭. ‬After the handling is completed‭, ‬the Department must conduct root cause analysis‭, ‬track and record the implementation of corrective measures‭, ‬verify their effectiveness‭, ‬and use Plan-Do-Check-Act‭ (‬PDCA‭) ‬for continuous improvement and recurrence prevention‭.‬

10‭ ‬tips to improve personal cybersecurity

System backup and information security incident management

Backup and recovery plan in case of malicious intrusion

WT has comprehensive network and computer-related information security protection measures in place‭. ‬Nevertheless‭, ‬no matter how‭ ‬perfect the protection measures are‭, ‬they cannot 100%‭ ‬guarantee that the Company’s core system is safe from black swan or gray‭ ‬rhino incidents‭. ‬Therefore‭, ‬our top priority is to increase the Company’s resilience and ensure the system can be quickly brought back to operation‭. ‬Therefore‭, ‬in addition to further investing in information security software and hardware‭, ‬we continue to strengthen our continuous operation capabilities‭, ‬so that the Company’s operations can be resumed in the shortest time in the event of an information security incident‭.‬

Information security capabilities was further improved to equip the Company with first-class operating capabilities

WT’s operation is based on continuous delivery capability‭. ‬WT is committed to providing products and services that meet confidentiality‭, ‬integrity and usability requirements‭. ‬In order to be a first-class enterprise in the sector‭, ‬we apply and introduce international information security frameworks‭, ‬and continuously strengthens the security control measures to ensure a high level of‭ ‬information security protection capabilities‭. ‬We therefore constantly evaluate the information security protection mechanism from point‭, ‬line and plane‭, ‬and develop different technical combinations to shorten the system recovery time‭. ‬In addition‭, ‬information security management system verification and red team exercises‭, ‬etc‭. ‬were introduced to review and upgrade the system with‭ ‬the assistance of independent organizations‭. ‬In 2022‭, ‬a number of external power outages happened unexpectedly‭. ‬As a precaution‭ ‬against unexpected power outages‭, ‬WT conducted a power supply abnormality exercise to ensure that emergency generators can be activated immediately and normal operation of the facilities and systems can be maintained‭. ‬After the exercise‭, ‬it was confirmed that the emergency response procedures were appropriate and all the facilities and systems were in normal operation‭.‬

 

By strengthening information security and employees‭’ ‬security awareness‭, ‬there were no sensitive information leakage or major information service interruption incidents‭, ‬nor financial losses caused to customers or suppliers in 2022‭.‬

Information security concerns of stakeholders were addressed

Through annual routine information security self-assessment questionnaires returned from our customers and suppliers‭, ‬information security management evaluations conducted by the competent authorities‭, ‬and inquiries raised on specific information security‭ ‬topics‭, ‬the questions and concerns we heard from the customers in 2022‭ ‬were mainly about the handling of major vulnerabilities‭, ‬security controls and measures‭, ‬ISO 27001‭ ‬certification‭, ‬information security management for sustainable operation‭, ‬etc‭. ‬The Information Security Department has answered all the questions to meet stakeholders‭’ ‬expectations and requirements‭.‬

Delivering products to customers on time is the basis of WT’s operations, and system downtime will result in delayed delivery or the inability to deliver products. WT expects to become an enterprise with first-class operational capability in the industry, and a high degree of information security capability is the cornerstone for providing quality services. Third-party organizations such as international certifications and red team assessment are used to assist in the review. With enhanced information security protection and employee security awareness, no sensitive information was leaked in 2021, and there were no significant information service disruptions that caused financial losses to customers or suppliers’ operations.

 

Setting up a dedicated department to strengthen information security management

Because of information security’s increasing importance and proliferation of cyber-attacks, WT will set up a dedicated information security department in 2022. With a dedicated manager and two dedicated staff to focus on information security incident investigation, system vulnerability disclosure, and the assessment and implementation of new information security architecture. In addition, WT will evaluate the implementation of ISO 27001 to reduce the threat and impact of information security incidents through formalized and systematic control and management.

 

WT has set up dedicated emails to receive cyber security notifications from external customers, suppliers, the Taiwan Computer Network Crisis Management and Coordination Center (TWCERT), and information technology equipment and service vendors. WT has dedicated personnel to regularly collect information on major information security news, vulnerability disclosure, zero-day attacks, etc., to analyze, record, and set event levels. Internally, we set event levels according to severity while the information department records them. In case of a major information security incident, the Chief Operating Officer shall be notified immediately.

 

The information technology department must remediate and fix information security incidents within the target processing time and find the root cause, track and records the remediation and verify the effectiveness, and follows the PDCA method for continuous improvement to prevent the recurrence of incidents. In addition, WT classified information security incidents into several levels of severity and defined the recovery mechanisms and standard operating procedures to speed up the recovery point objective.

Build safety awareness among staff

The pandemic has swept through the world, changing people’s lifestyles and work styles. Working from home and remote work has become the norm. This causes employees to be detached from the protection of the corporate intranet and becomes a potential breach of corporate information security.

 

Strengthening employees’ security awareness has become an important part of information security. In the second half of 2021, WT introduced security awareness training and planned a basic phishing course and a discovery phishing game course. In 2021, 4,198 training sessions were completed (100% completion rate). Through video presentation and interactive teaching, we have enhanced our staff’s knowledge and awareness of information security and integrated security awareness into their daily work through continuous social engineering practices.

 

Backup and recovery plan in case of malicious intrusion

The Group has established comprehensive information security protection mechanisms. However, it cannot guarantee complete prevention from third-party attacks to crash the critical corporate system. When a severe attack occurs, the system may not be operational, leading to operational interruptions due to the inability to ship orders or compensation for customer losses due to shipment delays. Therefore, rapid system recovery is of the utmost importance. Apart from keeping investments in information security devices and software, The Company continually strengthens the system recovery mechanism.

Introduction of the latest artificial intelligence NDR and EDR

Techniques for hack intrusions have been changing rapidly. In addition to exploiting the vulnerability and furthermore , hackers are using zero-day attacks to hack into systems before the patch. Hackers are also stealing employee accounts and passwords through phishing to gain direct access to the company’s system. Traditional pattern-matching protective measures no longer stop these numerous tactics.

WT introduced Network Detection Response (NDR) and Endpoint Detection Response (EDR) with an artificial intelligence machine learning mechanism in 2021. NDR performs front-line blocking and isolation when abnormal behavior deviation occurs on the network side. When the network side cannot identify and block in time and the threat enters the endpoint, the EDR mechanism blocks and isolates it again. Since there is no respite from network threats, we have also signed SOC/MDR services with third-party vendors to monitor information security threats 24/7.

Respond to customer’s information security concerns

WT assesses and responds to customers’ information security concerns through regular annual supplier self-assessment questionnaires or business communication. In 2021, the main issues concerning customers were the handling of major loopholes and whether they had passed ISO 27001 certification, all of which have been handled by the information department through self-assessment questionnaires or emails to meet clients’ needs.

WT’s Information Security Management Plan in 2022

Management level We have implemented ISO 27001 to establish an internal organization for information security management operations, to continuously strengthen and improve our information security management mechanism, and to enhance our ability to respond to information security incidents and emergency response.

Technical aspects We have gradually built a complete information security infrastructure to protect the information security framework of new technology types following the introduction of new information architecture (e.g., cloud application, AI artificial intelligence, and IoT Internet of Things).

Cognitive Training Level We raise information security awareness among all employees, and have gradually extended this awareness to our suppliers. Through supplier education training and information security assessment, we help suppliers improve their information security capabilities and establish a protective network for the entire supply chain.