資訊安全管理

 

資通安全組織與架構 

為確實掌握資訊及通訊安全,本公司已於2021年成立「資訊安全管理委員會」,由總經理擔任召集人督導全公司資訊安全政策,參酌ISO 27001:2013資訊安全管理系統國際標準及公開發行公司建立內部控制制度處理準則,以資訊技術暨安全部為資訊安全專責單位,資訊技術暨安全部主管擔任資通安全管理代表,統籌資訊安全及保護相關政策制定、執行、風險管理與遵循度查核,各資安業務相關單位(產品、個資、隱私等)指派資訊安全代表,定期召開資安會議,討論資訊安全政策及其他資安相關重大議題,督導全公司資訊安全作業執行以及資安風險管理機制之有效性,並定期向董事會陳報整體資訊安全管理組織相關資安管理作業及制度之執行成效。



 


資訊安全管理策略 
 


本公司已於2022年2月22日董事會通過「資訊安全管理政策」,透過每年定期檢視,確保資訊資產的機密性、完整性、可用性及適法性。


 
系統資安
本公司已通過「ISO/IEC 27001:2013 資訊安全管理系統(Information Security Management System, ISMS)」國際標準認證,目前證書之有效期為2020年10月16日至2023年10月15日。透過ISO 27001資通安全管理系統之導入,強化資通安全事件之應變處理能力,保護公司與客戶之資產安全。

  
產品資安
本公司已於2020年通過「IEC 62443-4-1:2018 產品安全開發制度認證 (Secure Product Development Lifecycle Requirements)」國際標準認證,目前證書之有效期為2020年11月30日至2025年11月29日,從產品設計、開發、測試到導入的產品生命週期,都遵循嚴格安全規範。

   

 

個資保護
本公司已於2021年通過「BS 10012:2017 個人資料保護管理制度 (Personal Information Management System, PIMS) 」國際標準認證,目前證書之有效期為2021年12月01日至2024年11月30日,規範所有相關程序與適用文件,除符合歐盟一般資料保護規範(GDPR)要求



 

隱私權保障
本公司已於2022年3月取得「TRUSTe隱私權認證標章」國際標準認證,為了落實隱私權的保障與安全性的承諾,本公司自2014年起即與全球公認資料隱私權管理權威TrustArc Inc.密切合作,由其提供隱私權評估、認證、監測工具等服務,對外服務網站及其網域均通過其稽核與認證,並業已獲得TRUSTe隱私權認證標章。



 

資訊安全風險管理與持續改善架構 


本公司長期深耕網路設備與服務,對資訊安全極為重視,關注範圍包括員工、組織、供應商及營運相關資訊資料及軟硬體設備。D-Link友訊科技遵循ISO/IEC 27001:2013資訊安全管理系統標準,制定資安政策,強化資安管理,確保重要資訊資產免受內、外部蓄意或意外之威脅,以維護資訊之機密性、完整性與可用性;透過資訊資產及風險管理程序,將公司重要的資訊資產,以「規劃(Plan)-執行(Do)-檢查(Check)-改善(Act)』模式建置與維護,確保業務持續運作、降低業務風險,提高服務品質,並確保所有資安相關政策、程序與作業指引能一致且有效地在日常營運中落實。





資安具體管理方案 

 

資安防護與管控


網路安全

  - 導入先進技術執行電腦掃描與軟體更新,強化軟體防火牆與電腦管控,防止電腦病毒擴散

裝置安全


  - 健全端點防毒掃毒機制,防止勒索病毒與惡意程式進入公司
  - 郵件系統強化惡意軟體、木馬程式附件偵測


應用程式安全


  - 制定應用程式的開發流程安全檢查、評核標準及改善目標
  - 持續強化應用程式的安全控管機制,修補可能存在的漏洞


存取控制

  - 訂定使用者密碼管理機制、網路安全服務機制、區隔內部網路及聯外方式,管控遠距工作使用,以維護網路及資料安全

密碼金鑰管理

  - 為確保公司的系統運作與帳戶的機密性,進行必要的密碼與金鑰管理,將外洩風險降至最低,適當保護本公司之機敏性資訊

資訊安全事件管理

  - 為降低資訊安全事件造成之損害,建立資訊安全事件通報及處理程序



資安風險檢討與持續改善


教育訓練與宣導

  - 加強員工對郵件社交工程攻擊的警覺性,執行釣魚郵件防禦偵測
  - 定期舉辦持續營運演練,提升員工資安意識

資安風險管理監控

  - 委託第三方公正檢驗單位,定期執行公司資訊安全評鑑:
  - ISO/IEC 27001:2013 資訊安全管理系統
  - IEC 62443-4-1:2018 產品安全開發制度認證
   - BS 10012:2017 個人資料保護管理制度

外部威脅偵測防護

  - 委託第三方公正檢驗單位定期執行弱點掃描,定期蒐集外部威脅情資,並依據情資內容進行風險評估,強化外部資安威脅防護
  - 已加入台灣電腦網路危機處理暨協調中心(TWCERT/CC),定期蒐集外部威脅情資,並依據情資內容進行風險評估,由資安人員確認與追蹤各項情資處理結果,藉此強化外部資安威脅防護




投入資通安全管理之資源


本公司資訊安全措施推動執行成果,包括:
(一) 驗證通過ISO/IEC 27001:2013 資訊安全管理系統、IEC 62443-4-1:2018 產品安全開發制度認證、BS 10012:2017 個人資料保護管理制度等3項資安相關國際機構標準驗證。

(二) 舉行超過20場資安相關會議:每季皆於內部網站皆對全體員工實施資安宣導教育;資安專責單位專責人力1名以及相關資安網管維運協力人員7名,每年至少接受24小時以上專業資安訓練。2022年將以全公司員工每季1小時資訊相關教育訓練為目標,全年規劃2小時資訊安全教育以及2小時其他資訊教育訓練。



重大資通安全事件


本公司於2021年9月通過ISO/IEC 27001:2013資訊安全、於2021年12月通過BS 10012:2017 個資保護相關內/外部稽核與驗證,均無重大缺失、亦無違反資訊安全或個資保護而造成客戶或員工資訊洩漏及罰款等重大資安事件發生。此外,2021年未發生由第三方公正檢驗單位或主管機關因公司違反客戶個人資料保護或客戶資料遺失而導致司法行動之投訴案件。


Information Security Management

 

Information Security Purpose and Scope

D-Link Corporation has long focused on the development of network equipment and services. Information security is one of the high-priority tasks that the company pays attention to. The scope of information security for D-Link Corporation includes employees, organizations, suppliers, and operation-related information, software, and hardware equipment. The company follows the ISO27001:2013 information security management system standard, formulates information security policies, strengthens information security management, and ensures that important information assets are protected from internal and external threats, intentional or accidental, in order to maintain the confidentiality, integrity, and availability of information. Through information assets and risk management procedures, the company’s important information assets are managed in a "Plan-Do-Check-Act"(PDCA) model to ensure the continuous operation of the company's business, reduce business risks, and improve service quality. We ensure that all information security policies, procedures, and guidelines are consistently and effectively implemented in our company.

 
 

Information Security Risk Framework

In order to ensure information and communication security, D-Link adheres to ISO 27001:2013 standards and has established the Information Security Promotion Committee with a mandate to promote and audit the information security management system, and provide resources related to these tasks. The IT department is responsible for leading, planning, and formulating D-Link’s Information Security Management Policies, and is also tasked with regularly reviewing and adjusting the policies. All business units are tasked, with implementing these policies and working in coordination with the IT team to ensure the effective application of the Information Security Management.
 
D-Link has set a goal of sustainable information security and privacy improvement, with plans to establish an organization to integrate the information security and privacy protection of the products, systems and services aspects of our business. This organization will be responsible for formulating D-Link’s information security vision and strategy in response to business needs and development trends. The goal is to create a safe and reliable product information security environment, a sound privacy protection system, and strengthen a risk-oriented information security protection system. Regular meetings will be held to review the implementation of standards and to ensure the company fosters an environment which is conducive to robust and reliable information security and privacy protections.

 
Product Security:
D-Link adheres to the stringent Information Security protocols in its product design, from product design, development, testing to new product introduction and lifecycle management. These policies were further validated in January 2021, when D-Link obtained IEC 62443-4-1 certification for Secure Product Development Lifecycle. 

 
Personal Information and Data Privacy:
To uphold the protection of personal data privacy and our commitment to personal data security, we have cooperated closely with TrustArc Inc., a globally recognized authority in the field of DPM (Data Privacy Management), since 2014, and made use of the privacy assessment, certification, monitoring tool services it provided, along with the quarterly audits it performed to ensure our management to be in compliance with regulatory requirements. D-Link external service websites and domains (specifically dlink.com, mydlink.com and nuclias.com), including their English, French, German, Spanish, Italian and Japanese language pages, have all been audited and certified by TrustArc Inc., and awarded the TRUSTe privacy certification respectively.  

We have also introduced the BS 10012:2017 PIMS (Personal Information Management System) to standardize all related procedures and applicable documents. In addition to complying with the EU GDPR (General Data Protection Regulation), the management system is also to ensure that personal data is properly identified, evaluated and managed, and we successfully passed the BS10012:2017 annual assessment in November 2021. We have not received any personal data related complaints from 2020 to 2021. Nevertheless, we are still committed to continuously monitoring and improving through regular audits in that regard.
 

 

Information Security Policy Goal

To ensure the continuity of the Company's operations and the stability of the information services provided by the Company.

To ensure the confidentiality, integrity, and availability of the information assets kept by the company and protect the privacy of personnel data.

To establish an information business continuity plan and implement information business activities that meet the requirements of relevant laws and regulations.


 

Information Security Control Measures 
 

Risk Assessment

Establish a regular inventory of information assets, conduct risk management based on information security risk assessment, and implement various control measures.

 

Education and Training

The company regularly performs information security promotion operations, conducts annual information security education and training, and requires all new employees to sign information security agreements. All employees should comply with legal regulations and information security policy requirements, and strengthen information security awareness and legal concepts.

 

Safeguarding

All employees and outsourcing vendors must sign a confidentiality statement to ensure that those who use the company’s information, services, or perform related businesses will perform their duty to protect the company’s information assets to prevent unauthorized access, unauthorized alteration, destruction, or improper disclosure.

 

Regular Drills

Important information systems or equipment should be equipped with appropriate backup or monitoring mechanisms and drills regularly to establish standard operating specifications to maintain their availability.

 

Endpoint Protection

Implement a new anti-virus system and introduce a multi-factor authentication mechanism to strengthen the audit of unauthorized software.

 

Incident Notification

Develop standard procedures for responding to and reporting information security incidents, so that information security incidents can be handled immediately to prevent the expansion of harm.

 

Given the increasing uncertainty of information security risks year by year, we intend to purchase information security insurance in the future to establish a more comprehensive information security investment.