Formosa Laboratories 2022 Material Topic: The Management of Information Security

Information Security Management

 

The Company is responsible for reviewing the information security governance policies of each unit and supervising the operation of information security management in order to enhance information security management. It is expected to construct a comprehensive information security protection mechanism and enhance the good information security awareness of colleagues through the management, planning, supervision, and promotion of professional information security units.
The Information Departmentis responsible for coordinating, managing, and supervising information security operations, which mainly cover the relevant information services provided by the department and the needs of other departments in the Company. We regularly conduct vulnerability scans, effectiveness checks of protective systems, and other related security testing tasks. We regularly assess information security risks and report to the information supervisor, as well as provide relevant security awareness and educational training courses. Through the operation of the Information Department and the implementation of security policies, we provide a secure and safe information security environment to ensure the information security of all company services.

Formosa Laboratories Protection of software and hardware equipment and data measures for information security.
  1. Computer Room: The physical servers and related equipment used for the Company's infrastructure information system platform are all housed in a computer room with access control. Only authorized personnel and administrators are allowed entry.
  2. Hardware: The Company's servers, network equipment, and other hardware are designed with backup fault tolerance and clustering to ensure high availability of the system and hardware equipment.
  3. Storage Equipment: The Company utilizes physical equipment for data storage and backup, complemented by designs such as disk arrays and redundancy, to improve data protection and availability.
  4. Firewall: The Company has installed network security devices that can block different networks, preventing external unauthorized users from intentionally damaging, attacking, or tampering with the system and data to ensure their integrity.
  5. Intrusion Detection and Defense System: The Company identifies attack behaviors and system vulnerabilities based on the built-in feature database, providing administrators with early warning, evidence collection, and recording, as well as proactive response.
  6. All company computers must have antivirus software installed.
  7. The computer system must have account and password control, and the password must be regularly updated.
  8. The IT system is equipped with a UPS uninterruptible power supply system to prevent damage caused by power outages.
  9. Employees working remotely need to connect to the Company through a VPN.
  10. Performing system backups and offsite backups every day.
  11. Regularly conducting disaster recovery drills.
  12. Screen Protection Program: The Company has set up a system that automatically locks the workstation when the user leaves the seat or the computer is not in operation for a period of time. To unlock the computer, the user must enter their username and password, forcing them to establish a new access period for the control system.
  13. It is recommended that all personal computers be turned off after work to save energy, reduce carbon emissions, and minimize the risk of unauthorized access.
 

In addition, the Company regularly reviews its information security policies to ensure the effectiveness of information security practices, following the latest government regulations, technology, and business developments. It also continues to monitor trends in the field of information security, constantly improving security measures to ensure the security of company information.

In addition to conducting annual internal training on information security for employees, the Company also regularly conducts information security drills for specific departments, including email social engineering drills and remote recovery drills, to enhance employees' awareness of information security risks and ensure the integrity and security of data. Furthermore, there are regular GMP trainings every year, as some aspects of GMP are related to information, such as production automation control, office automation, partial automation control, quality management, research and development (key document data with central control system), injections, etc., to establish a comprehensive training mechanism for information security.

Information Security Management

Formosa Laboratories Information Security Management Measures

External
Threat
Defense
  • Regularly scanning and patching vulnerabilities in the information system to reduce the risk of intrusion
  • Using firewalls and intrusion detection defense equipment to block external network malicious attacks
  • Using email filtering software to filter out spam emails, viruses, and malicious links.
  • Installing antivirus software on employees' computers to prevent virus attacks and threats
Internal
Management
  • Strengthening employee awareness and advocating information security 
  • Users must have their software installation confirmed by IT personnel before installation.
  • The login operating system uses an OTP (One Time Password) verification mechanism in addition to the user account and password.
  • Visitors and guests must request to use the Company's wireless and wired networks.
  • Arranging relevant units for the flow of funds, such as the Finance Department, Procurement Department, Sales Department, and other departmental business executives, as well as company (deputy) managers and above, to conduct unannounced email social engineering drills (at least once a year), and organizing educational training afterwards
  • Introducing a document encryption system to prevent the risk of confidential and sensitive data leakage
  • Introducing access control software to record users' internet usage, access to network files, and USB access behavior
  • Using backup software to perform data, server image file, and application backups locally, and also backing them up in a remote data center
  • Conducting information system restoration drills twice a year, once in the first half and once in the second half, to ensure the accuracy and integrity of backup data, and keeping a record of the process

We conduct information security inspections in accordance with a rigorous cGMP system. As a GMP-certified factory, the Company undergoes facility inspections by the US FDA every three years, by the TFDA annually, and by customers approximately 40 times per year for irregular checks on the security of our information systems. Our important information systems follow GAMP5 for computer validation and comply with the requirements of US FDA 21 Part11 regulations. Additionally, the Company's information systems are audited annually by PwC Taiwan.

Formosa Laboratories continues to manage information security, including training and promotion, drills, control, and review. It also anticipates management methods for 2023 to enhance the security system and prevention measures, replace outdated systems, and increase the frequency and intensity of education and practical drills.

 

Formosa Laboratories 2022 & 2023 Information Security Management Key Points

Information Security Management

Close