Information Security Management System and Protection
The “Information Security Policy” and “Management Rules for Technical and Confidential Information” were drawn up by Winbond to protect confidential company information such as trade secrets and IP, and ensure proper protection of customer privacy. In 2020, Winbond applied for the ISO 27001 Information Security Management System and successfully passed the verification in February 2021. This certification covers the server rooms, information systems, and application systems of the Taichung and the Zhubei sites. In 2022, an extension verification was conducted for the Kaohsiung site. In 2024, we referenced the industry's production equipment information security standard, SEMI E187, and implemented and established internal management regulations to continuously enhance the information security of our manufacturing equipment computers.
In addition, starting from 2021, Winbond has implemented cloud-based information security risk assessment services for all externally provided services. This non-intrusive real-time vulnerability detection helps to mitigate external cybersecurity risks. In 2024, Winbond changed to use the cloud-based security assessment service promoted by SEMI Association. This service not only focuses on application and network security but also strengthens the assessment of personnel-related security. Winbond aims to maintain a rating of 90 points or above and continues to adopt other information security solutions to enhance the comprehensiveness of information security management and control measures.
| ISO 27001 Information Security Management system | ||||||
 |
Winbond conducted an inventory of each unit’s information assets in 2020 based on theISO 27001:2013 Information Security Management structure. These included a risk assessment, consolidation of all internal controls and existing documentati on, establishment of a complete information secur ity environment, an d compliance with all of the standard’s requirements. Certification by an external body was obtained in February 25th, 2021(Valid date of certification:2025/10/31). Winbond is continuing to pursue the three main goals in information security : | |||||
|
||||||
Winbond in accordance with the implementation procedure for “Information Security Policy”. which includes the establishment of a Chief Information Security Officer (CISO) and an Information Security Manager. The information security organization is formed by representatives assigned by relevant departments and is responsible for overseeing the company's information security governance operations, including deliberation, implementation, promotion, and auditing. Extraordinary meetings are held for major reforms or when an information security incident takes place.
Winbond continues to communicate the importance of information security to employees through education, training and bulletins every year. Data protection exercises are also held at least once every 6 months by switching to the backup system for read/write testing.
Additionally, for the security needs of important company products, access control and monitoring, information system access rights management, and access record retention and review are strengthened. Strict control is implemented on personnel entry and exit and data access to prevent unauthorized access or tampering of company information and to safeguard against theft or leakage of trade secrets and intellectual property.
Information Security Handling Process
|
|
|
|
2024 Information Security Management Performance
| Information Security Education and Training | Monthly issuance of information security advocacy |
| Quarterly information security education and training | |
| Information Security Performance management | The information security awareness training program has been attended by over 14,000 participants |
| A total of 12 information security advocacy were issued | |
| A total of 69 new systems were launched in 2024, the high-risk code correction and improvement rate was 100%, and the program coverage rate of source code scanning was 100% |
| Passed High-Level Information Security Certification | |
| In November 2015, Winbond ’s TrustMETM and its associating operating environment received EAL 5+ certification from the international organization Common Criteria. The certification indicated that Winbond ’s product information security controls complied with the requi rements of Common Criteria. Winbond was therefore certified to produce t rusted security products that comply with international standards for the protection of custo mer information and assets. Common Criteria ’s validation of TrustMETM memory products encompassed the Desig n & Development, Production, and Delivery phases. The new Jhubei bu ilding was commissioned in 2020 and a remote audit was conducted due to COVID-19. The audi t found that all of relevant procedures and environments met the requirements of Common Crit eria EAL 5+. | |
Supplier Information Security Management
Permissions-based control has been implemented by Winbond through our internal information security system to protect the privacy of our suppliers. Physical documents are centrally stored in the purchasing document management database. Information security clauses are attached to all orders for information security management at our suppliers. Suppliers must conduct a self-assessment on information security management during the annual audit for review by Winbond’s Information Security department. An on-site audit is also conducted at suppliers every two years. During the 2020 supplier's conference, we invited suppliers to share their experience on preventive measures in information security and on information security management.
| Information Security Clauses for Suppliers | |||||||
| The sign-off rate of supplier information security clauses reached 100% in 2024 |
|
||||||
Protection of Customer Privacy
Winbond Electronics strictly manages customer information. All business information, such as documents and information on customer interactions, are stored in Winbond’s internal highly-protected system. Winbond approves and release work access rights for our employees based on the relevant operational guidelines and procedures. In order to ensure that the Winbond is able to protect customer privacy and prevent business secrets and intellectual property rights from being stolen or leaked, Winbond has in 2021 obtained the ISO 27001 Information Security Management Systems certification, establishing a comprehensive information security protection system.
Winbond Electronics has already made the required adjustments to remain compliant with the European Union’s General Data Protection Regulations (GDPR) which came into effect in May 2018, amending the Winbond’s official website and re-inspecting the information of all website members. The GDPR has also been included in online courses on the Personal Data Protection Act. In 2024, 100% of new employees completed their training by passing the examination.
In 2024, Winbond continued to have no reported incidents where Winbond violated customer privacy or lost customer information, or where Winbond was fined for violating product liability laws and regulations.