- letter from the chairman
- 2019 sustainable performance and important results
- company information
- sustainable goals
- stakeholders and materiality analysis
- corporate governance
- customer value
- sustainable environment
- happy workplace
- social inclusion
information security and personal information protection
to effectively promote information security work, the company established the “information security committee” in accordance with the “regulations for information security policy,” to take charge of promoting and governing information security, monitoring and managing information security risks, and reporting major information security incidents. the committee shall hold a meeting at least once a year and may hold a meeting to report major decisions to the board of directors, if necessary.
information security policy
considering relevant business development and demands, the company established the “information security policy” to strengthen the management of information security, build a safe and reliable information operating environment, and ensure information, system, equipment and network security. moreover, the company also stipulated “guidelines for the management of information security” and other management regulations and established control systems, in accordance with relevant matters stated in the policy. for the content of relevant policies, please refer to the important articles of incorporation for company governance on the company website. （http://www.chaileaseholding.com/en/ugc_chapter.asp）
the duties of the committee are as follows:
i. develop and review the information security policy and development strategy of the company.
ii. review the information security structure of the company and relevant management regulations.
iii. enhance information security awareness and review the training program.
iv. review the annual information security investment plan and budget.
v. supervise the promotion and execution of information security management affairs.
vi. other information security management matters.
information security management plan
information security status of implementation
in accordance with the provisions of article 9 of the "regulations governing establishment of internal control systems by public companies", chailease has established internal control systems and related operational specifications for information circulation and other management environment, including personal information, and computerized information system. simultaneously, to comply with the provisions of article 13 of the regulations, our company information and communication security inspection is included in the annual audit plan.
- self-risk evaluation and check of internal control systems by operation units
early each year, every operation unit shall evaluate risks and render evaluation results and improvement suggestions to the internal audit department for its reference. such risk evaluation shall be based on internal control items in the ﬁelds of information circulation and personal information processing, while risk scale and major control points shall also be considered. by year’s end, each operation unit shall undertake self-risk evaluation and checks according to early year plans, submit the results to the internal audit department for review, and then report to the company executive. this move aims to ensure implementation of internal control systems.
- control of information ﬂow security audit and inspection
the independent internal audit department shall draft an annual information security audit and inspection plan according to the results of self-risk evaluation and risks of each operation unit. this audit and inspection plan shall be submitted to the management and the internal audit department shall conduct due diligence based on the plan. reports of due diligence will be submitted to the management. defects and recommendations thereof will be tracked and improved within a due date.
- information security training
each unit's new recruits are required to attend education and training classes encompassing courses of speciﬁc information security, the company's internal rules, related laws, cybercrime, and general knowledge of information security. each year, information technology-related departments shall establish an annual education and training program and arrange personnel to participate in external workshops accordingly. those participating in training courses will also need to pass relevant professional examinations. we also arrange companies with expertise to introduce (or educate about) important information security projects and conduct related case studies.
information processing flow chart
regarding the management of the information service processing procedure, chailease takes information management as its basis and builds demand management, incident management, problem management, change management, requisition form management, online management, knowledge management, and usability management, supplemented by risk management orientation, from the demands of information services at the user end to the final completion online or solutions to problems or demands, to keep close tabs on information security.
information security resources devoted for newcomers
as cyber-attacks increased and the method of attack became complex, many information security problems in enterprises have occurred. hence, the government and competent agencies have increased the requirement on enhancing risk management of information security in enterprises. however, to prevent threats and attacks, the promotion and education on the information security awareness of internal personnel are among the key factors for successful information security policy implementation, in addition to the application of technological tools. regarding this matter, when newcomers arrive - in addition to providing relevant internal professional knowledge - the company also asks them to complete necessary relevant information security training, to take precautionary measures. moreover, the overall training completion rate is 100%. employees who have joined the company have also completed the relevant information security training requirements and with a 100% coverage rate.
in addition, the information unit made a large investment in information security and skills training every year in this fast-changing world.
measures for managing information security incidents
information unit provided gateways and terminal protection function, as well as quarantine alert for the virus program. moreover, the unit can further detect external suspicious intrusion behavior through network flow control and analysis.
four disaster restoration drills were conducted each year, including 2 exotic environment system restoration drills, 1 information unit restoration drill, and 1 synchronized exotic restoration drills by information unit, front- and back- end. this way, the systems and data within the enterprise can have the best protection measures. with reasonable measures and methods, we can shorten the restoration time for system interruption as much as possible and reduce data loss resulting from the business interruption.
personal information protection
personal information protection is carried out by it personnel according to security and operational risk levels. personal information is masked. only certain employees are granted access to the information, depending on the scope of the work being performed. internal customer data transfers also follow strictly-controlled protocols and are regularly reviewed by the internal audit unit. all of these measures are taken in order to enhance the company's employee and customer data protection and to abide by the law.
to ensure the confidentiality of customer data, all our employees receive personal data confidentiality and operational security law training. this provides them with a reference and develops their consciousness of personal data issues so they will use good data security practices and protect personal data in their daily work. we also require employees to appropriately perform their responsibilities of protecting confidentiality and managing data, with rigorous internal rules for management as well as the gradual establishment of an audit trail and records tracing systems. the management of personal information has been included in the scope of annual audit of inspection of information and communications security and self-assessment, and through these comprehensive and targeted reviews, we will increase the protection of customer data by employees and increase knowledge of and compliance with relevant law.
in the future, we will continue to optimize e-mail security review mechanisms, enhance customer data protection mechanisms, improve existing data security mechanisms and establish specialized information security officers to comprehensively raise the level of data protection and security, and establish a safe, reliable operating environment. the goals for collection, manner of use and rights associated with customer data are laid out clearly in informed consent forms and contracts to assist customer in fully understanding the rights and responsibilities of both parties.
company employees dedicated to the protection of personal information act based on the relevant rules of the company to appropriately handle and give feedback on such matters, and appropriate rules are set and revised. at the same time, policy education within the company has been enhanced and case studies and educational materials created so that improvements of our business processes and the rigor of our internal rules will reduce the occurrence of customer complaints. in 2019, there are one violated the rules in subsidiary in mainland china, the employee copied the company's information before departure and the improvement is etroactively dismissal. moreover, teaching the importance of implementing internal policies and rules to the employees.