Information Security Management
Information Safety
Information Security Action Plans
The “Information Security Policy” and “Management Rules for Technical and Confidential Information” were drawn up by Winbond to protect confidential company information such as trade secrets and IP, and ensure proper protection of customer privacy. ISO 27001 ISMS was introduced in 2020 as part of Winbond’s information security management overhaul and certification was granted in February 2021.
| ISO 27001 Information Security Management system |
|
| |
 |
Winbond conducted an inventory of each unit’s information assets in 2020 based on theISO 27001:2013 Information Security Management structure. These included a risk assessment, consolidation of all internal controls and existing documentati on, establishment of a complete information secur ity environment, an d compliance with all of the standard’s requirements. Certification by an external body was obtained in February 25th, 2021(Valid date of certification:2024/2/24). Winbond is continuing to pursue the three main goals in information security : |
 |
(Confidentiality) ‒ Data |
 |
(Integrity) ‒ Data and Systems |
 |
(Availability) ‒ Systems and Services |
|
Winbond in accordance with the implementation procedure for “Information Security Policy.” The body is responsible for the company’s information security control activities including recommendations, deployment, promotion, and audits. Regular meetings are convened to discuss and make decisions on information security topics in HR, physical security, information security, and logical security. Extraordinary meetings are held for major reforms or when an information security incident takes place. Winbond continues to communicate the importance of information security to employees through education, training and bulletins every year. Data protection exercises are also held at least once every 6 months by switching to the backup system for read/write testing.
To keep important company and product information secure, Winbond has strengthened our access control, security surveillance, information system access permissions management, as well as the recording and reviewing of access logs. Personnel and data access are both rigorously controlled to prevent unauthorized access and tampering as well as the theft and leakage of trade secrets and intellectual property.
Information Security Handling Process
| |
- Coordinate the response to information security events (cross-department coordination and release of public information)
|
- Direct the appropriate level of responses to the information security event, and report to the superior based on the information security event level
- Conduct an information security meeting every quarter to review performance
|
- Once an event report received, assess the scope and severity of impact
- Carry out information security incident report procedure
- Isolate problem system and devise solution
- Report to superior once event has been resolved
- Assess and analyze the cause of the event then devise a preventive strategy
|
- Provide resources and solutions
|
2020 Information Security Management Performance
| Information Security Education and Training |
2,667 people received information security training and completion rate was 100% |
| 2,531 people received Personal Information Protection Act training and completion rate was 100% |
| Information Security exercises |
1 social engineering training and test |
| 1 FAB virus exercise |
| 1 vulnerability scan |
| Passed High-Level Information Security Certification |
|
| |
| In November 2015, Winbond ’s TrustMETM and its associating operating environment received EAL 5+ certification from the international organization Common Criteria. The certification indicated that Winbond ’s product information security controls complied with the requi rements of Common Criteria. Winbond was therefore certified to produce t rusted security products that comply with international standards for the protection of custo mer information and assets. Common Criteria ’s validation of TrustMETM memory products encompassed the Desig n & Development, Production, and Delivery phases. The new Jhubei bu ilding was commissioned in 2020 and a remote audit was conducted due to COVID-19. The audi t found that all of relevant procedures and environments met the requirements of Common Crit eria EAL 5+. |
Supplier Information Security Management
Permissions-based control has been implemented by Winbond through our internal information security system to protect the privacy of our suppliers. Physical documents are centrally stored in the purchasing document management database. Information security clauses are attached to all orders for information security management at our suppliers. Suppliers must conduct a self-assessment on information security management during the annual audit for review by Winbond’s Information Security department. An on-site audit is also conducted at suppliers every two years. During the 2020 supplier's conference, we invited suppliers to share their experience on preventive measures in information security and on information security management.
| Information Security Clauses for Suppliers |
|
| |
 |
|
Products delivered by suppliers should not harbor potential information security threats such as viruses, back doors or Trojan horses that may impact Winbond operations. |
|
The necessary patches and safety updates must be provided to ensure that are no information security vulnerabilities. |
|
If there is an information security event, a swift and effective solution must be provided. Corrective and prevention measures must also be proposed to minimize the damage. |
|
Protection of Customer Privacy
Customer-related information are closely controlled by Winbond. All customer commercial information such as customer correspondence and data are retained in Winbond’s secure internal systems. The approval and authorization of internal personnel permissions all adhere to the relevant operating guidelines and procedures. All Winbond employees have been required to pass the “Information Security Awareness” course since 2013. The personal smartphones of employees at our Jhubei office building must all be registered and install a camera management that disables the camera on company premises to keep R&D and production data secure. Metal detectors are installed at the entrances of foundries and fabs to control the movement of IT devices on the production line; AI technology is used to manage contractor access to the site through facial recognition. These measures Winbond’s proper protection of customer privacy and defense against the theft or leakage of trade secrets and IP. The ISO 27001 Information Security Management System certification obtained in 2020 was used to improve the integrity of the information security system.
The EU “General Data Protection Regulation” (GDPR) took effect in May, 2018. Winbond has updated our website, reviewed our online membership details and made appropriate adjustments in accordance with the requirements of GDPR. The relevant regulations of GDPR were also incorporated into the Personal Information Protection Act online course.
