Information Security Risk Management Framework
The CISO is the person in charge of assembling and leading the information security team. The team is responsible for coordinating, planning, executing, and analyzing information security events. The team consists of a strategy group, a technology group, and an audit group.
Information Security Policy
- The strategy team is responsible for planning and promoting information security policies, management practices and product or service introduction programs.
- The technology group is responsible for actual certification testing, implementation, and subsequent support for implementation of the information security policy and related equipments or Services.
- The inspection team is responsible for assisting the internal independent audit unit to review whether the information security policy and each process are actually implemented on a quarterly basis, and to propose improvement plans、track follow-up implementation according to the audit reports.
- The information security team performs regular planning and review of information security protection measures according to the PDCA cycle.
Specific Plan and Resources Invested in Information Security Management
- Implementing anti-virus endpoint protection software on personal computers and servers.
- Internet firewall shall be equipped with application identification capability to enhance the defense capability against external attacks.
- Intranet firewall should list explicitly allowed services.
- The identification module automatically separates employees from visitors and segregates access paths.
- An advanced threat protection module is added against junk mail, and prevents phishing emails from stealing sensitive data.
- The active alert system automatically notifies threats occurred and configuration changed.
- Implement multi factor authentication(MFA) to reduce the risk of account leakage.
- Continuous social engineering rehearsal and training to enhance employee information security awareness.
- Continuous providing professional training for security colleagues to ensure meet information security standards.
- WT obtained the ISO 27001 Information security management certification to reinforce information security of operations.
Information security is the Company‘s last line of defense against significant impact. Therefore, in addition to continuously strengthening the investment in information security equipment, the Company also continues to increase investment in information security equipment and software and strengthen data redundancy. Such measures include:
Information Security Management Plan
- Local data snapshot, provide the fastest way to restore data when hardware is not damaged.
- Offsite replication, replicate data to backup data center over 30km in real-time and create remote data snapshot for double protection.
- Offsite tape, daily full backup and store the tape offsite.
- Regularly perform switch main data center to the remote backup center so as to ensure disaster recovery in the shortest time possible.
For more detailed, please refer to WT ESG website.