♦ Information Security Management
FITI understands that the protection of confidential information is critical to the company's current and future competitive advantages. Therefore, in 2017, it has invested in information security protection measures to control the company's business secrets, and by constantly promoting the importance of confidential information protection, employees are more aware of confidential information and the correct concept and vigilance of protection to ensure the best interests of stakeholders related to FITI.
FITI is committed to protecting the confidential information and privacy rights of customers in order to build trust and long-term cooperative relationships with customers, providing customers with exclusive technical service team and data protection, and requiring employees to fulfill their duty to protect confidentiality. To strengthen information security, the Company has appointed a Chief Information Security Officer and established an Information Security Management Department. There are currently 7 information security personnel, responsible for information security management auditing, protection monitoring, and emergency response. An Information Security Management Committee has been established, convened by the Chief Information Security Officer, to coordinate information security policy formulation, strategic planning, supervision of implementation, and continuous improvement. Report the status of information security and progress of improvements to the board of directors quarterly. The Company has obtained ISO27001 international certification for information security management system through third-party verification, valid from March 15, 2025 to March 15, 2028. The Information Security Management Department and the Quality Assurance Department of the company are responsible for promoting the planning, execution, auditing, communication and coordination of management-related matters, and handling relevant education, training and publicity to ensure that personnel are familiar with the security responsibilities of business execution. The company formulates relevant norms and systems, access control, sub-authorities and validity periods, and controls customer data. In response to customer confidential projects, employees must sign a personal confidentiality agreement for the project to fulfill their responsibility to protect customer information.
1. All security measures must be followed by all employee
2. For customer data, all employees involved should sign "Non-disclosure Agreement"
3. FITI's internal "New Smart Information System" sets accessing permission for specific employees.
4. Complete information data protection, and internal access control
5. Complete education to ensure employees understand the responsibility of data security.
♦ Information Security
I. Drawing and Data Security Policy
(1). Use Document Encryption System for sharing data to suppliers, where access frequency, and expiration date are set.
(2). All suppliers use encrypted files
II. Mail Security
(1). Outbound and inbound email virus scanning, email filtering detection and prevention.
(2). Automatic email backup meets audit and compliance requirements.
(III). Server Secuity Policy
(1). Server Policy:
-- a. Active backup and Offline backup
-- b. Automatically patch latest update
-- c. Automatically patch server.
(2). Internet Policy:
-- a. All external information and communication devices are prohibited from connecting to the internal network.
-- b. Firewall sets up a blacklist to block suspicious websites.
-- c. Firewall settings adopt the principle of least privilege and default denial. Regular reviews and records.
(3). Computer User Policy:
-- a. Computers will patch automatically to the latest update
-- b. Users cannot install un-authorized software
-- c. The computer restricts access to USB devices.
-- d. The computer Install EDR software for real-time monitoring.
♦ Network security management
All files and drawings in the factory are encrypted by importing encryption software. If they need to be read, they can only be viewed by DCC after reviewing their permissions. For those who access high-level process drawings, they will operate in the review room of an independent network segment. There is a 24-hour access control and monitor in the review room to record the content of read by the staff. FITI fully deploys anti-virus software and WSUS in the factory, and regularly updates and monitors to ensure that the latest version is used. The whole host is backed up every day and the files are stored offline. The host backup file restoration drill and data verification are carried out every quarter. Important network equipment is placed in the computer room, and entry requires double-pass authentication and records are kept. Information security awareness and education and training are regularly promoted to staff and the information security policy and risk assessment are regularly audited every year. Quarterly data restoration are verified.
The user's online behavior has a specific filtering mechanism, and the USB external device is strictly controlled. Outbound and inbound emails must be controlled by an email filtering system, and the email threat security mechanism should be set to prevent malicious virus attacks. For customer privacy and information security, FITI takes necessary management policies and protection measures to prevent unauthorized use and disclosure.
◎ Implementation effect: no customer complaints and full customer trust have been obtained. FITI operates successfully and strives for more orders for the company.