zh-twzhen
zh-twzhen

Cyber Security Management

合一生技股份有限公司 / INVESTORS / Governance / Cyber Security Management

Cyber Security

Information security is crucial to the effective protection of the Company’s trade secrets. The Company has established an information security policy to ensure the confidentiality, integrity, and availability of its information assets. Concrete internal safeguards are also implemented to enforce information security. Oneness Biotech has listed cyber security as a material risk issue. Chairman serves as the convener of the Cyber Security Management Committee, and has authorized IT Manager to serve as the committee representative who is responsible for promoting the management and operation of cyber security, execution of the protective measures for important information, and disaster drills and the implementation plans. Any special incident occurred will be reported to the Risk Management Committee for the review of corresponding action plan.

The Cyber Security Management Committee has two subordinate execution teams: the Cyber Security Team and the Internal Audit Team. The Information Security Team, established by the IT Department, develops the information security policies and implementation plans, promotes enforcement, and reviews improvements. It reports quarterly to the Information Security Management Representative on the status of information security management. The Internal Audit Team, established by the Audit Office, is responsible for auditing and conducts at least one annual random audit of the implementation of information security policies, tracking the effectiveness of improvement plans.

In 2024, the Cyber Security Team consisted of 3 members, and the Internal Audit Team had 1 member. During the year, one information security meeting was held. Two internal audits were conducted in March and May, respectively, with no major deficiencies identified. Additionally, no significant information security violations occurred throughout the year.

Organizational Structure for Cyber Security

Develop Management Measures

  • To strengthen its cyber security management system, Oneness obtained ISO 27001 certification in March 2022. The international information security standard contributes to implementing the related management system, raising employees’ awareness of cyber security, and establishing 22 proper procedures and instructions for the use of computers and networks: the Cyber Security Policies, the Cyber Security Organization and Target Management Procedures, the Information Asset Management Procedure, and cyber security risk evaluation, physical security, operational safety, access control, and cyber security incident management.

ISO 27001 證書

  • Implemented ISO 27001:Oneness Biotech introduced the ISO 27001 Information Security Management System (ISMS) in 2021, and gap analysis and correction have been conducted after the verification scope was confirmed. The scope included both system-wise and management-wise. The implementation items included risk evaluation, vulnerability remediation, security protection, risk verification, asset inventory, risk evaluation, and education and training, while relevant documents were established. The Company received the certificate issued by the international certification company BSI on March 2, 2022. The certificate is valid until March 1, 2025.

Information Technology

  • The Company has implemented multi-layer software and hardware protection has been provided, including account password complexity authentication, host- and user-end antivirus, online behavior management, protection against malicious websites, firewall-based barrier, host data backup, data encryption, network IP management, and etc.
  • Business Continuity Plan (BCP): The BCP is activated when disaster events disrupt business operations. The Information Security Team is responsible for coordinating the response to ensure that critical information services are restored to minimum operational levels as quickly as possible, minimizing potential losses. To ensure the effectiveness of the plan and enhance personnel readiness, at least one drill is conducted annually. On March 1, 2024, a disaster recovery drill was carried out, and both the system and database were successfully restored to normal operation.

Promotion and Improvement

  • We endeavor to perfect the cybersecurity management mechanism and raise employees’ awareness of cybersecurity and self-protection. We convene at least one cybersecurity management review meeting every year in order to monitor and control the cybersecurity-related systems and related incidents of that year, communicate cybersecurity-related information to employees for a total of at least three hours per year, and conduct at least one drill to report cybersecurity incidents every year.
  • In 2024, a total of 3 cybersecurity training activities were organized, including “Information Security Training (ISO 27001)”, “Personal Data Protection Practices”, and “Management Seminar – IoT Security.” In addition, 1 email social engineering drill was executed to enhance the Company’s personnel information security awareness.

Join the Joint Defense Mechanism

  • To enhance its proactive defense strategy, the Company joined the TWCERT/CC Cybersecurity Alliance in September 2022. Through collaboration with domestic and international CERTs/CSIRTs, security organizations, academic institutions, civil society, government agencies, and private enterprises, TWCERT/CC facilitates the sharing of cybersecurity intelligence, strengthening Taiwan’s collective cyber defense capabilities. The Company actively engages in threat intelligence exchanges via this platform and leverages the alliance to expand the breadth and effectiveness of its cybersecurity defenses.
  • Vulnerability Analysis: The Information Security Team conducts annual vulnerability assessments to ensure robust cybersecurity management across the Company’s data centers, internet infrastructure, EIP system, and office environment. On February 23, 2024, a system vulnerability scan was carried out, followed by an in-depth analysis of the identified risks. Based on the results, targeted remediation measures were implemented to mitigate potential threats and strengthen overall system security.

Flowchart of Reporting and Responding a Cyber Security Incident

Oneness’ Education and Training on Cyber Security in 2024

Note1: All employees / high-risk employees or specific departments, calculated based on the total number of people in the course for that month

Note2: Coverage rate = Number of participants / All employees 

Oneness Biotech Information Security Management Result

※The above content is taken from the ESG Report