As cyber security is crucial for trade secret protection, Oneness has formulated information security policies, and concreted protective measures to enhance cyber security. The Information Department has established a Cyber Security Team responsible for formulating cyber security policies and implementation plans, promoting implementation of the policies and plans, and reviewing the implementation for improvement. The Team reports the current status of information security management to the representative of the cyber security management committee on a quarterly basis. The Audit Office has also established an Internal Audit Team to perform audits on the implementation of cyber security policies twice a year, and to track the effectiveness of improvement plans. In 2024, the Information Security Team consisted of 2 members, while the Internal Audit Team consisted of 1 member. During the year, 1 information security meeting was held, and no major information security violations occurred. On November 11, 2024, the operational status was reported to the Risk Management Committee and the Board of Directors.
Oneness Biotech has listed cyber security as a material risk issue. Chairman serves as the convener of the Cyber Security Management Committee, and has authorized Chief Information Officer to serve as the committee representative who is responsible for promoting the management and operation of cyber security, execution of the protective measures for important information, and disaster drills and the implementation plans. Any special incident occurred will be reported to the Risk Management Committee for the review of corresponding action plan.
Oneness Biotech introduced the ISO 27001 Information Security Management System (ISMS) in 2021, and gap analysis and correction have been conducted after the verification scope was confirmed. The scope included both system-wise and management-wise. The implementation items included risk evaluation, vulnerability remediation, security protection, risk verification, asset inventory, risk evaluation, and education and training, while relevant documents were established. The Company received the certificate issued by the international certification company BSI on March 2, 2022. The certificate is valid until March 1, 2025. |
Organizational Structure for Cyber Security
Develop Management Measures |
To strengthen its cyber security management system, Oneness obtained ISO 27001 certification in March 2022. The international information security standard contributes to implementing the related management system, raising employees’ awareness of cyber security, and establishing 22 proper procedures and instructions for the use of computers and networks: the Cyber Security Policies, the Cyber Security Organization and Target Management Procedures, the Information Asset Management Procedure, and cyber security risk evaluation, physical security, operational safety, access control, and cyber security incident management. |
Information Technology |
The Company has implemented multi-layer software and hardware protection has been provided, including account password complexity authentication, host- and user-end antivirus, online behavior management, protection against malicious websites, firewall-based barrier, host data backup, data encryption, network IP management, and etc. |
Promotion and Improvement |
We endeavor to perfect the cybersecurity management mechanism and raise employees’ awareness of cybersecurity and self-protection. We convene at least one cybersecurity management review meeting every year in order to monitor and control the cybersecurity-related systems and related incidents of that year, communicate cybersecurity-related information to employees for a total of at least three hours per year, and conduct at least one drill to report cybersecurity incidents every year. In 2023, a total of three cybersecurity training activities were organized, including personal data protection and smartphone security, AI application practice and cyber security for listing, and other educational trainings. In addition, four email social engineering drills were executed in 2023, resulting in a phishing success rate of 9.13%, to enhance the Company’s personnel information security awareness. |
Join the Joint Defense Mechanism |
In an effort to strengthen the proactive defense strategy, Oneness joined the TWCERT/CC Information Security Alliance in September 2022 to exchange cyber-threat related information through this platform from time to time. The goal is to expand the breadth of the Company’s information security protection through this joint defense mechanism. |
Flowchart of Reporting and Responding a Cyber Security Incident
Oneness’ Education and Training on Cyber Security in 2023
Note1: The certification for ISO 27001 Lead Auditor is valid for three years. In 2022, a total of 2 employees completed the training, and in 2023, 1 employee completed the training. In 2023, the IT department achieved a 100% certification rate for ISO 27001 Lead Auditors.
Note2: The total number of participants for each course includes all employees, high-risk employees, or specific departments, calculated based on the number of employees in the respective month.
Oneness Biotech Information Security Management Result
※The above content is taken from the ESG Report