In order to ensure the confidentiality, integrity and availability of WT’s information assets, to comply with the requirements of relevant laws and regulations, to protect them from internal and external deliberate or accidental threats, and to meet business needs, information security policies have been formulated as a basis for compliance to effectively and reasonably mitigate operational risks. The policies are applicable to WT and its affiliates, subsidiaries that are 100% directly or indirectly owned, controlled by WT, subsidiaries that sell or provide services for the Group, all personnel of the mentioned organizations, outsourcing service providers, student workers, and visitors, etc. In addition, information security clauses have been added to external contracts.

According to the 2023 World Economic Forum (WEF) Global Risk Report, “Widespread cybercrime and cyber insecurity” is ranked as the 8th risk within 2 years and 10 years. With increasingly complex cyber espionage or cyber crimes, such as loss of privacy, data fraud or data theft, compromised information security protection may lead to data leakage and blackmail risks, and even core system disruptions, causing serious business losses and damaged goodwill.

In view of the growing importance of information security and increasingly rampant cyber attacks, WT’s Information Security Department is headed by Chief Information Security Officer at the level of deputy general manage. The Department, composed of one dedicated director and two dedicated personnel, is responsible for information security risk management, incident investigation, system vulnerabilities disclosure, and information security system evaluation and introduction, etc. Following the establishment of the Sustainable Development Committee, information security management strategies and results will also be presented to the Sustainability Development Committee before being submitted to the Board. There were no major information security incidents involving sensitive information leakage or information service disruption in 2023, and no financial losses were caused to customers or suppliers due to the information security incidents.

Information security certificates are used as a mechanism to check and continuously improve information security professional capabilities. In 2023, a total of six international certificates in information security governance, information security management and auditing were obtained, including CEH Master, CISA, and ISO 27001 Lead Auditor. In addition, WT has joined joint information security defense organizations such as Taiwan CERT/CSIRT Alliance and Taiwan Chief Information Security Officer Alliance to strengthen the joint information security defense system by identifying relevant information security trends and sharing threat intelligence. At a meeting of the Taiwan Chief Information Security Officer Alliance in 2023, WT shared its supply chain security practices, explaining how to help vendors improve their information security capabilities and strengthen overall supply chain security protection.

Regular refresher training to raise employee safety awareness



While conventional information security protection boundaries are no longer effective, employee security awareness has become an important part of information security management. From 2021, randomly selected phishing templates are sent out every month for social engineering exercises. For employees who click on phishing emails, there is a system in place to require refresher training, notify their direct supervisors, and keep track of the training results, in order to reduce information security threats caused by employees lacking information security awareness.




 

Implementing information security management system to upgrade corporate information security resilience
Based on ISO 27001 and NIST CSF, WT introduced and strengthened its security control measures, constantly evaluates its information security protection mechanism from point, line and plane, and develops different technical combinations. It also adopts defense-in-depth approach and security-by-design principles to further strengthen multi-layer security in eight aspects, which are management, data, endpoint, application, network, third-party supply, business continuity and emergency response, intelligence integration and joint defense, so as to reduce impact of information security risks to acceptable levels and continuously monitor residual risks. In addition, ISO 27001 verification and red team exercises were performed by third-party institutes to verify the effectiveness of management mechanisms and system security protection, and strengthen information security resilience. WT is ISO/IEC 27001:2013 and CNS 27001:2014 verified via TCIC, with certificates valid until 2025. The information security measures it took in 2023 with regard to the five NIST CSF core functions were as follows:

Five major measures to improve information security control and network protection
WT adopts defense-in-depth approach, security-by-design principles, and continuous threat exposure management (CTEM) concept to identify assets that are vulnerable to attack paths. WT manages risks to reduce the probability and impact of threats. Its information security control measures in 2023 include :

Response to customers’ information security concerns




WT relies heavily on information systems and online transactions to conduct business with its upstream and downstream partners. WT regularly returns information security self-assessment questionnaires to customers and vendors, and communicates with them on specific information security issues from time to time. In addition, to meet customer requirements, a third-party information security service provider is commissioned by a customer to perform host vulnerability scanning and penetration testing to ensure supply chain information security.





Business continuity and emergency response
24/7 information security monitoring
WT has a dedicated information security mailbox to receive information security notifications from external sources to inform internal security improvement.

Regular information security incident exercises to ensure recovery in the shortest possible time
To enhance corporate resilience and maintain high availability of the information system, tests and exercises are conducted at least once a year according to the business continuity plan of the information security management system. The exercise involves a simulated incident in the main system, switch of the main data center operation to offsite, detailed record of the exercise and results, and subsequent review and follow-up of continuous improvement.

In 2023, the number of unexpected power outages decreased by 25% relative to 2022. Nevertheless, WT continued to conduct a power supply abnormality exercise to ensure that emergency generators can be activated immediately and normal operation of the facilities and systems can be maintained. The exercise proved that the emergency response procedures were appropriate and all the facilities and systems were in normal operation.
Setting up information security notification system for hierarchical management and rapid response
WT has security incident management procedures in place, which classify information security incidents into four levels and specify notification procedures accordingly. The individual who spots an information security incident reports it to IT or information security personnel who then determines whether it is an incident and its level before forwarding accordingly. A critical incident will be immediately reported to the Chief Information Security Officer, who will pass it on to the General Manager for emergency response.

The information department must remove and resolve information security incidents within the target time, and conduct reviews and improvement measures after the incident is concluded to prevent its recurrence. If the assessment of the incident cause and impact find that the incident was caused by an employee’s behavior, he or she will be punished in acordance with the work rules.
 
A total of four information security incidents occurred in 2023, all of which were non-critical. Three of them involved leaked passwords, which were all responded to and handled immediately and caused no impact; and the other involved an external network anomaly experienced by WT’s network service provider, and the traffic was instantly redirected to the backup route. No core services, confidential or sensitive data, or confidential information related to transactions with customers or vendors were leaked in these incidents.