Information Security and Privacy Management Policy

1. Introduction

1-1. Purpose
  • This policy establishes the guidelines for Acer e-Enabling Data Center Inc. (hereinafter referred to as "acer eDC") to handle its own and customer information assets securely and consistently. It aims to protect against various potential information security and privacy breaches in response to extensive information security threats and strengthened privacy protection.
1-2. Scope
  • Applicable to all formal employees, contracted employees, suppliers, outsourcing vendors, customers, and cloud tenants of acer eDC. In this policy, the term "users" is used to encompass all the aforementioned entities.
  • Applicable to information assets accessed by both internal and external users of acer eDC, covering confidentiality, integrity, availability, and privacy.
  • Applicable to services provided by acer eDC, including data center maintenance services, network management and security services, hosting services, and cloud services. For detailed information, refer to the "Acer eDC International Certification Service Content Mapping Table.
1-3. Policy Requirements
  • Must be formally communicated and understood by users.
  • Updates must be clearly marked with an effective date.
  • Employees should comprehend and willingly adhere to the content.
  • Employees engaging in information security and privacy violations will be subject to company-defined penalties.
  • Applicable to both physical and virtualized environments, covering both owned data centers and cloud environments.

2. High-Level Security Management Policy

2-1. Security Governance Commitment
  • Committed to maintaining the confidentiality, integrity, availability, and privacy of information assets.
  • Ensure the privacy rights and personal data of relevant users are not compromised.
  • Enhance employees' information security skills and awareness, establishing a secure and trustworthy image.
  • Construct a comprehensive information security and privacy management system to comply with international standards.
  • Provide appropriate and necessary company resources to support the refinement of management systems.
  • Drive continuous improvement in information security and privacy management.
2-2. Security Management Principles
  • Clearly identify relevant stakeholders and internal/external issues related to information security and privacy management based on organizational goals and environment. Express and implement these through policies, procedures, standard operating procedures, plans, reports, records, etc.
  • As the controller and processor of Personally Identifiable Information (PII), establish responsibilities and obligations according to relevant laws, regulations, judicial decisions, administrative decisions, contracts, etc. Refer to the "Personal Data Management Manual" for details.
  • Establish a consistent information security and privacy management system systematically processing related operations through documentation and procedures.
  • Conduct periodic risk assessments for information security and privacy management, evaluating risks, opportunities, and corresponding mitigation measures.
  • Perform regular internal and external audits for information security and privacy management, implementing corrective actions as needed.
  • Regularly assess and provide relevant resources to enhance employees' capabilities, awareness, and technical skills in information security and privacy management.
  • Establish communication procedures to effectively communicate information security and privacy management issues with relevant internal and external users and stakeholders.
  • Continuously monitor, measure, analyze, and evaluate operations to understand the appropriateness, suitability, and effectiveness of information security and privacy management.
  • Establish physical or virtual segmentation for cloud and virtualized environments, protecting the information and privacy data security of each tenant.
  • All contracts and agreements will be based on relevant laws, regulations, and industry best practices related to personal data and privacy protection.

3. General Security Management Policy

3-1. Information Security and Privacy Management Organization
  • To ensure the effective implementation of the information security and privacy management system and achieve the continuous normal operation of business and services, acer eDC clearly defines the information security and privacy management organization and the responsibilities of relevant personnel. Refer to the "Information Security and Privacy Management Organization Procedures Manual" for details.
  • The highest authority unit is the "Information Security and Privacy Management Committee," chaired by the highest management executive of acer eDC. Members are selected by the convener from various unit managers or professional colleagues. In addition to announcing and updating information security and privacy management policies, appropriate resources and support are provided.
  • The "Information Security and Privacy Management Committee" establishes the position of "Executive Secretary" to assist in the operation of the committee and information integration.
  • The "Information Security and Privacy Management Committee" establishes the position of "Chief Information Security Officer (CISO)", also serving as the "Data Protection Officer (DPO)" responsible for overseeing the promotion, and implementation the information security and privacy management system of acer eDC.
3-2. Human Resource Security
  • All employees must undergo awareness education, training, and assessment relevant to their job responsibilities. Management units are responsible for providing employees with sufficient resources to meet job requirements.
  • Awareness education and training for information security and privacy management should follow the "Information Security and Privacy Management Education Operations Procedure."
  • Employees and specific positions with access to sensitive information and systems (such as department-level or above executives, finance, procurement, and facility management) must undergo background verification checks as part of the hiring process. The contracts of all employees and contractors should articulate their responsibilities for information security and privacy management.
  • Employees and contractors must adhere to established policies and procedures for security matters during their employment. Upon resignation or contract termination, they must fulfill confidentiality obligations as stipulated in their contracts.
  • Violations the information security and privacy management policy of acer eDC will result in appropriate disciplinary procedures conducted through the human resources department.

3-3. Information Classification

  • Acer eDC defines information to include data and documents, with information formats encompassing digital and hard-copy formats. Information assets include information and related equipment and facilities.
  • Details regarding the security levels of company documents are outlined in the "Document Management Procedures."
  • All information assets must have assigned owners, and when an owner is transferred or leaves the company, another employee must be assigned responsibility.
  • Acer eDC adopts a consistent security framework for the classification of all information and acknowledges its management responsibility. The information classification system applies universally, regardless of processing technology, source, format, storage location, or usage method.
  • All users who may come into contact with sensitive information must be familiar with and adhere to the information classification policy of acer eDC.
  • The information classification system follows the principle of "need to know," meaning that information should only be disclosed to individuals who need to know within the scope of their job responsibilities.
  • The entire process of information, from generation to destruction, should be protected, irrespective of its storage location, method of acquisition, processing technology, or purpose, and regardless of its sensitivity.
  • Information owned by acer eDC is assigned an owner, as detailed in official documents. Information assets include, at a minimum, databases, data files, application systems, operational documents, training materials, operational or support procedures, backup systems, etc.
  • Owners are responsible for the quality of the information itself, risk assessments, information classification, determining the use of information, and recommending access permissions. This includes the rights to generate, classify, modify, delete, and archive information, but classification needs approval from department heads or as designated by the "Chief Information Security Officer."
  • All systems containing sensitive information must have access controls to ensure that it is not improperly disclosed, modified, deleted, or unusable.
  • Mobile devices and portable storage media must be clearly defined.
  • In areas crucial to the operations of acer eDC, the use of mobile devices and portable storage media is prohibited without approval. If needed, there must be control measures.
  • Connections of mobile devices to the networks where the company's important servers are located must be approved, and their network access must have appropriate regulations.
  • If mobile devices and portable storage media contain sensitive information, there must be appropriate protective measures to prevent data leaks, along with an audit mechanism to ensure data security.
  • If mobile devices and portable storage media are company assets, there must be data security measures during delivery, loss, or disposal.
  • Devices not issued by the company, including personal laptops, phones, tablets, etc., are not allowed to connect to the company's internal network without approval.
3-4. Access Control
  • Users are granted appropriate permissions and accounts based on their roles, responsibilities, and the principle of least privilege. Relevant requests or terminations must be made according to company policies and procedures.
  • The specific execution steps and requirements of access control should adhere to the "Access Control Procedures."
  • User accounts and passwords must be securely managed to prevent leakage or unauthorized access. The lifecycle of accounts and passwords should follow the security regulations of the company or respective systems.
  • Systems and applications must have the capability for access control. The use of login credentials, passwords, privileged programs, or accounts should comply with the security regulations and procedures of acer eDC.
  • In virtual or public cloud environments, security isolation mechanisms between different tenants must be considered. This ensures that resources and information are not accessed or interfered with by others. Strengthening the security protection mechanisms of each virtual resource is necessary.
3-5. Cryptography Management
  • For information systems providing external services, if the transmitted data involves sensitive or private information, relevant encryption or password measures must be in place. Additionally, there should be protective mechanisms for the lifecycle of keys.
  • When information systems issue keys to tenants or users, procedures and control mechanisms must ensure that there is oversight from issuance to termination.
  • Sensitive documents or information stored in information systems or personal computers must undergo encryption measures according to company regulations.
3-6. Physical and Environmental Security
  • The office and data center environments should have clearly defined security boundaries, accompanied by relevant security requirements and protection specifications. Adequate security control measures must be implemented.
  • Offices and data center locations must implement appropriate access control to prevent unauthorized access to or damage of information assets. Information systems providing services should be located in areas with access control, permitting entry only to authorized personnel.
  • Offices and data centers should be equipped with appropriate security apparatus to detect various disasters, and these security tools must be regularly inspected.
  • Visitors entering the office must be accompanied by reception personnel to designated areas or meeting rooms, and entry into general office spaces is not allowed.
  • Visitors must undergo an application and review process, register for entry and exit, and can only enter data center areas accompanied by relevant department personnel.
  • Public areas and loading/unloading zones must establish secure segregation from offices and data centers, with relevant protective or surveillance facilities in place.
  • Public utilities, electrical systems, and communication pipelines must have secure protection mechanisms to ensure availability and integrity.
  • Items or equipment with frequent access must follow the "Personnel, Item, Vehicle Entry and Exit Management Procedures."
  • Secure removal of sensitive information from information assets must adhere to the "Information Asset Retirement Procedures."
  • If office or data center spaces are not constantly supervised by personnel, relevant monitoring and security protection measures should be established.
  • Employees must adhere to computer screen protection and desktop clearance principles. Owners of spaces or cabinets containing sensitive data must lock them when leaving the office premises.
3-7. Operational Security
  • Relevant operational documents, capacity, and change management for information systems and services are executed in accordance with  ISO/IEC 20000 specifications.
  • Acer eDC implements network segregation for formal operational, development, and testing environments, ensuring that formal data is not used in development and testing environments.
  • Operational information systems and personal computers must have mechanisms to prevent malicious programs, and these preventive measures must be continuously effective.
  • Important information stored in information systems must be regularly backed up to meet legal, regulatory, or contractual requirements. Important information refers to data that can assist in business or operational recovery after a disaster.
  • Management or access operations of information systems must maintain log information, ensuring the confidentiality, integrity, availability, and privacy of the information, and synchronizing log record times.
  • Relevant log data is accessible only to authorized personnel, and retention periods are set in accordance with legal, regulatory, and contractual requirements.
  • Log information must be usable for analyzing operational status or trends, investigating abnormal events, or preserving evidence.
  • To prevent employees from installing or using inappropriate software that could lead to data theft, information system damage, or the opening of backdoors, software installed or used in operational information systems must comply with the specifications of the "Intrusion Prevention and System Strengthening Procedures."
  • If there is a need to use software outside the specified regulations, an application and review process must be followed. Applicants must fill out the "Software Usage Application Form," and installation and usage are only allowed after approval.
  • Regular vulnerability scanning, threat detection, and other protective measures are implemented to ensure the security of information systems, and subsequent strengthening measures are taken based on the results.
3-8. Communication Security
  • Network connections must follow an application and approval process, and designated personnel are responsible for maintaining their configuration. Unauthorized installation of network communication-related hardware or software on the physical or virtual networks by employees is strictly prohibited.
  • Implement appropriate network protection measures and establish related protective rules to ensure the security and controllability of internal and cloud networks. Backup copies of protective rules must be maintained.
  • Depending on the security level and application of each information system and service, establish appropriate isolation mechanisms to prevent arbitrary or malicious connection activities.
  • Employees should exercise caution regarding the security of their network connections and the use of email. A security control mechanism must be in place to reduce the risks of malicious attacks or data leakage.
  • When utilizing networks, email, or physical media for data transmission, prioritize the transmission of non-sensitive data. If it is necessary to transmit sensitive or privacy-related data, ensure that it is done under protective encryption measures and document the process.
  • When accessing networks or exchanging data with external organizations or individuals, adhere to company regulations, and if necessary, establish confidentiality or nondisclosure agreements.
3-9. Application System Acquisition, Development, and Maintenance
  • Security oversight and management of application systems are the responsibility of the senior executives in the relevant departments of the company. Responsibilities include reviewing security considerations in system acquisition or development and supervising system maintenance operations in accordance with security requirements.
  • Before the acquisition or development of a system, conduct a business risk assessment with a core focus on data security and privacy. Consider external and internal regulatory and standard requirements. Document and record related requirements and assessments.
  • Information security design should be integrated into the system development process, covering requirements analysis, system development, and system testing. Input, output, and internal processing should consider the security of sensitive data and maintaining the normal operation of the system.
  • Isolate the development environment and the production environment of application systems. Implement appropriate control measures for testing data.
  • Security control mechanisms or procedures must be in place for the maintenance, version control, changes, access, data backup, and recovery of application systems (including source code).
  • Outsourced development contracts should explicitly describe information security requirements, privacy management requirements, and confidentiality obligations.
3-10. Supplier Management
  • Clearly define the rights, responsibilities, and obligations regarding information security and privacy protection for both parties in contracts or agreements with suppliers. Ensure that the handling, access, and storage of relevant information comply with legal and regulatory requirements.
  • Suppliers must undergo necessary qualification assessments, acceptance procedures, and performance evaluations to confirm that the supplier's capabilities meet the conditions of procurement. The specific steps and requirements for supplier qualification assessments and performance evaluations should be carried out following ISO/IEC 20000 specifications.
3-11. Security Incident Management
  • Any events that may cause harm to the confidentiality, integrity, availability, or privacy of information assets, or violate relevant laws, regulations, contracts, must be immediately reported and handled upon discovery. Disclosure to regulatory authorities or involved parties must be made according to responsibilities and regulations.
  • It is necessary to prepare, regularly update, and test security incident response procedures (see "Incident Management Procedure Manual"), including detailed steps to resolve issues and supporting information, to ensure that the harm to information security and privacy can be promptly and effectively addressed.
  • Security incident response procedures should define different processing levels and the procedures required to handle events at each level.
  • After a security incident occurs, relevant information must be collected and documented until the company decides not to take legal action or use such information.
3-12. Business Continuity
  • To address the risks posed by various disasters, appropriate backup or redundancy mechanisms must be in place for all information assets, and backup and recovery plans for various operations and services must be formulated.
  • The plan includes recovery time objectives, recovery point objectives, the recovery organization and responsibilities, disaster notification procedures, customer notification procedures, information security, and privacy protection requirements, etc.
  • Regularly practice the recovery-related procedures for business and service interruptions and document the exercise process and results, or generate improvement plans or suggestions.
3-13. Compliance
  • Annually conduct regular compliance reviews to ensure adherence to regulations, and periodically review the appropriateness of relevant policies, procedures, and operational processes to meet the requirements of information security and privacy protection. Relevant regulations should be documented in the "Information Security and Privacy Management Regulatory Compliance Review Form."
  • For the handling of intellectual property and personal data, establish a unified contact point and procedure for related complaints, corrections, or removal operations.
  • Records generated in operations, including log records and access records, must comply with legal, contractual, and policy requirements regarding access restrictions and retention periods.
  • The encryption measures used and provided to tenants in operations must undergo access control and ensure their security.
  • Relevant policies should be formulated, approved, and communicated by the management level to all employees and relevant external entities. This policy should be made publicly available for company employees and external stakeholders to enhance compliance with information security and privacy management regulations and increase information transparency. Refer to: "Acer eDC Information Security and Privacy Management Policy."
  • An annual "Information Security Business Analysis Report" must be produced to understand the implementation status of policies, operational effectiveness, expectations of relevant stakeholders and groups, and potential risks.
  • Establish detailed quantifiable goals for information security and privacy management and conduct audits and reviews quarterly and annually. Include these goals in the "Information Security and Privacy Control Operations Manual" for continuous monitoring, testing, and verification to ensure the implementation of relevant policies and standards.
  • The "Information Security and Privacy Management Committee" should regularly review this policy (e.g., annually or when risk factors change).
  • In cases where the implementation of specific provisions in this policy is difficult, written consent from the "Security Officer" may be obtained in urgent situations to execute alternative solutions. However, such alternative solutions must be reviewed and discussed within one month, with necessary adjustments to related policies if needed.

Last updated on: November 30, 2023.