Risk Management Program & ERM

 

 

Emerging Risk Management & Adaptive Strategy

 

 


Information Security Management Framework

 

CPDC has established the Chief Information Security Officer to oversee the promotion of information security policies and resource allocation, and has set up an Information Security Management Team under the Information Office, as well as an information security manager and two information security personnel, who are responsible for formulating corporate information security policies, planning and implementing information security procedures, and promoting and implementing information security policies.

 

CPDC introduced ISO 27001 Standards for the system development, operation and maintenance, network infrastructure, server room and related support activity management of the Information Technology Department ,to strengthen its current information security system and formulated information security policies. Certification by an external body was obtained in February 6, 2024 (Valid date of certification:2027/2/5). In addition, we established an internal information control system to promote information security governance, and collaborate with the auditing unit to arrange annual information security audit plans and to conduct evaluations at least once a year to ensure the confidentiality, integrity and availability of information related to CPDC’s operations and that the company’s overall capabilities in information security protection is in line with operational needs.

Information security risk identification and management

CPDC will continue to optimize and improve its information security management policies. CPDC’s information security management measures are as follows:

 

  • Regularly implement information security education and training in order to promote information security policies, related regulations and concepts related to information security protection and to enhance employee’s awareness for information security.
  • On an annual basis, CPDC commissions a third-party company to conduct regular cybersecurity audit and assessments such as external audit, vulnerability scanning, and security health check to ensure that our information systems and the network comply with safety standards.
  • Regularly conduct information security inspections, and conduct fixes based on the inspection results to reduce information security risks.
  • Establish a notification and response mechanism for information security incidents to ensure proper response, control and handling of information security incidents.
  • Perform regular information security audits to ensure the implementation of the information security management system.
  • Execute all matters in accordance with relevant laws and regulations.

Summary of Information Security management Execution(as of December 31,2024) 

 

  • Annual Report: The results of the yearly information security management activities were presented to the CPDC Board of Directors in November 2024.
  • Updated Policies and Procedures: CPDC completed revisions and updates to information security specifications and operating procedures, which were reviewed and approved by the Information Security Steering Committee.
  • Firewall Enhancements: The CPDC firewall equipment was updated, and rule settings were reviewed and adjusted to improve the detection and blocking of malicious network traffic.
  • Improved VPN Security: We enhanced the CPDC SSL-VPN service by implementing a dynamic password (OTP) verification mechanism, offering a more secure network connection.
  • Service Continuity Drills: We successfully conducted biannual drills to test the continuity of critical service systems, ensuring the effectiveness of our backup mechanisms.
  • Vulnerability Management: CPDC completed two rounds of third-party vulnerability scanning and patching, further strengthening our information security framework.
  • Penetration Testing: Annual third-party security assessments and penetration tests were conducted to bolster CPDC’s overall information security resilience.
  • Social Engineering Awareness: We carried out email-based social engineering drills to increase awareness among employees about phishing threats.
  • Employee Awareness Training:Throughout the year, we provided information security education and training sessions, along with 7 awareness campaigns, to improve our employees’ understanding of information security best practices.