Primax Group is committed to protecting customer information security to safe guard customer rights. The company has established management procedures for customer privacy and confidential information, adhering to the principle of "least privilege." Access to sensitive data related to customer projects is granted only after internal authorization, and the Group's information security department conducts regular reviews of security-related procedural documents to ensure timely updates that meet the required level of information security management in line with customer needs and demands.
Cybersecurity organizational structure
To improve the security management of the group, a Group Cybersecurity Department has been established, with the Chief Financial and Information Officer as the highest responsible person. The Information Security Department is responsible for driving information security policies and resource all ocation. It is staffed with dedicated cybersecurity professionals to ensure that all information security management standards and control measures are effectively and continuously implemented.
Primax Group's Cybersecurity Management and Continuous Improvement Framework
Cybersecurity management mechanism
All of customers' private and confidential information is disclosed on a need-to-know basis, and the Group has implemented three different types of control: People, Process and Technology to ensure the security of customers' private and confidential information. Below is a summary of the three controls:
Cybersecurity management actions
- To meet the requirements of internal information security regulations and external regulatory authorities, the group has established an Information Security Management System and information security management procedures. Nine information security objectives have been formulated, and the results of their achievement are recorded on a monthly basis.
- To reinforce our cybersecurity protection capabilities, we request vendors perform hacker penetration testing every year to analyze the potential vulnerabilities and scenarios of hacking through various hacking methods, to improve the quality of cybersecurityprotection.
- To enhance application system security and mitigate risks, regular system and equipment vulnerability scans are conducted each year. Vulnerabilities with medium and high risks are promptly addressed through patching. Additionally, measures such as the implementation of a computer asset management system, client privilege account management, mobile device security protection, and strengthening mechanisms like Multi-Factor Authentication(MFA) and centralized management of privilege accounts have been introduced. The sections aim to reduce incidents involving confidential or sensitive data. The company consistently filters malicious or spam emails, employs Security Information and Event Management (SIEM) for log monitoring, and implements Data Loss Prevention (DLP) mechanisms to protect against data leakage. All these efforts are geared towards achieving real-time monitoring of anomalies and reinforcing information security management mechanisms.
- For critical systems related to company operations, regular data backups and on-site redundancy mechanisms are implemented to strengthen the enterprise's resilience against cybersecurity risks.
- We organize cybersecurity awareness training twice a year and social engineering drills six times a year, during which it uses a combination of e-mail, instant messaging, and digital TV to communicate with employees on cybersecurity protection and current affairs, which inturn promotes cybersecurity awareness. Moreover, we have purchased cyber risk insurance or commercial crime insurance since June 2018 to reduce the risk of loss and liability caused by business interruption, to strive to become an enterprise with outstanding performance in information security governance.
- The Company has obtained the "ISO 27001:2013" international standard certification in January 2018. Currently, the certificate is valid from February 12, 2021, to February 11, 2024.Furthermore, a 5-year expansion verification plan for the period from 2023 to 2027 has been planned, and each year, the company will undergo a continuation review by a third-party verification company.
Cybersecurity risk assessment
The Company inventory the information assets and update the record book of assets periodically. Every year, the risks related to the information assets are appraised, and the high risk items are controlled, to lower the chance of risks and their impacts, for the purpose of ensuring the Company’s long-term cybersecurity. Primax has established comprehensive network and computer cybersecurity protection measures; however, malicious hackers can also try to spread computer viruses, destructive software, or ransomware across the Company's network system to interfere with our operations, to extort money, gain control over our computer systems, or spy on confidential information. Such attacks may result in losses due to delay or disruption of orders, or a great cost of remedial and improvement measures adopted to strengthen the Company’s cybersecurity systems. To prevent and reduce the damage caused by such attacks, we continue to update and implement relevant improvement measures, such as strengthening network firewalls and network control; establishing endpoint antivirus measures depending on computer types; adopting new technologies to strengthen data protection and backup; enhancing the detection of phishing emails; and regularly performing social engineering email testing and offering employee IT security awareness training.
Internal audit of cybersecurity
The information audit task force of the Cybersecurity Department establishes the evaluation indicators based on the risks. The self-assessment and inspection of cybersecurity are conducted annually. The outcome of assessment and supporting documents are sent to the Audit Department for verification. The Audit Department implements the information cycle audit every six months. Cybersecurity is one of the required items for audit. All the outcomes of audit are brought to the Audit Committee and the BOD regularly, at least annually.
Product R&D and Manufacturing Safety
The research and manufacturing units of the company have consistently conducted research and manufacturing operations in accordance with the Group's information security policy and customer requirements and expectations. Through various physical and electronic control processes, the protection of product confidential information and process technology is ensured, while also maintaining compliance with customer requirements and relevant third party certifications.