Information Security Management | Corporate Governance | Philosophy | ASUS ESG website, ASUS ESG goal

Information Security Management

Information Security Management

Organization Structure and Management Policy

After the outbreak of the Russia-Ukraine War, there has been a significant surge in hacking attacks on the global network, resulting in a profound impact on the global supply chain. ASUS faces many external challenges, which brought unprecedented impact to information security management and product security management. ASUS established the Information Security Committee in May 2020, and appointed the Group Chief Information Security Officer and established a dedicated information security unit in September 2021. The committee members include our Vice Chairman Ted, the co-CEOs and all of the Heads of Business Units and Functional Units. In addition to continuing to promote the ISO/IEC 27001 (Information Security management systems) Management Systems (ISMS) to comply with international standards. ASUS also complies with the European Union's General Data Protection Regulation (GDPR) to ensure that the collection, processing and use of personal data are in compliance with the regulatory. At the same time, ASUS integrated existing internal resources to facilitate cross-departmental and cross-functional communication and collaboration, and adopted "Building Digital Resilience, Enhancing Brand Trust: Pursuing Excellence with Security in Mind" as our vision. ASUS has become a strong support for our subsidiaries, suppliers, and supply chain partners.

Information Security Management Performances in 2022

Information Security Governance

Since May 2020, information security monthly meetings have been held to share and discuss topics such as enterprise information security, product security, global information security threats, supply chain security, etc.

Information Security Program

Conduct annual information security awareness course for current employees and new hires in 18 languages, with a completion rate of 100%. Advocate for theASUS Group's ten rules of information security from time to time, send formal email reminders to employees who violate the regulations and ask for improvement, and report the findings to the head of the department as the basis for employees' personal performance appraisal.

Digital Resilience

In 2021, led the efforts in establishing the High-Tech Information Security Alliance and organized several large-scale bi-monthly meetings to discuss 13 issues and communicate trends on information security threats to improve defense capabilities jointly.

In 2022, led the efforts in establishing the Taiwan Chief Information Security Officer Alliance, which now has more than 100119 publicly traded or OTC companies as members to improve the information security resilience of domestic industries jointly.

Risk Management

We pay attention to various digital security risks and help internal units to adopt and implement the BCM risk assessment, risk management, and crisis management plans and grasp the implementation status of various drills. Improve the response and handling speed of information security incidents of maintenance and monitoring teams.

Personal Data Protection Committee

ASUS established the "Personal Data Protection and Information Security Committee" in April 2012 according to the instruction from the top management to formulate the company's policy on personal data use and handle relevant matters. In response to regulatory changes and reorganization, the above committee has changed to the "Personal Data Protection Committee" (Hereinafter referred to as "the Committee") in 2018, and the Committee has released a new company's policy named the "General Personal Data Protection Policy" and implemented it internally. The Policy is used as guideline on the collection, processing and use of personal data collected through ASUS products and services (such as computers, software, official websites, customer support services and others). The Committee published the "ASUS Privacy Policy" on ASUS official website to let the general public and consumers aware of how ASUS protects and manages their personal data.

In order to ensure the full implementation of the company's policies, the Committee holds regular bi-weekly meeting to implement and review annual objectives, and calls irregular meetings from time to time to adjust implementation measures and handle personal data relevant events. By the end of 2022, the Committee has held 296 regular meetings.

Main accomplishments of the Personal Data Protection Committee in 2022

Data inventory review

Continue to examine the nature of data collected, processed and used by the company to ensure the scope of regulatory compliance.

Process improvement

The Committee elaborates to the relevant departments on the data processing procedures that shall be modified and improved to be in accordance with personal data protection laws in response to the update of products or services.

Privacy policy review

Adjust the ASUS Privacy Policy for each country in response to regulations from different jurisdictions if needed.

Education and training

Education and training sessions are held annually to ensure all employees understand the company's policy. In 2022, 8 sessions were provided to employees in headquarters and in overseas offices.​

Handle the request and inquiry of data subjects and supervisory authorities

The Committee is the central contact point for handling requests and inquiries of data subjects and supervisory authorities. ASUS shall respond to the requests from data subjects within the statutory period by law. The Committee collaborates with the relevant departments to handle requests and responds to the data subjects to fulfill the regulatory obligations. Inquiries from the supervisory authorities are also handled with the same approach to mitigate legal risks.

Annual internal audit

The responsible departments involved in the management of personal data are included in the scope of audit to cooperate the company's internal audit. With internal self assessment conducted by the departments, examination of service providers' practices conducted by the departments, and audits conducted by auditors, the Committee provides corrective measures and improvement approaches on non-compliant items to assist the responsible departments or service providers to improve their practices to ensure the full implementation of the company's policies and relevant management procedures.

Main plan for Personal Data Protection Committee in 2023

  • Continue to improve the interface for individual parties to file personal data requests as well as internal procedures.
  • Review and improve the Company's compliance procedures in response to new legislation in Asia-Pacific and Americas.
  • Add overseas audits and assist related authorities in performing supplier audits.

To ensure that information security measures or specifications comply with requirements of existing laws, the information security policy is reviewed annually

  • Ensure confidentiality of relevant business information, prevent sensitive information and customer private information from various threats and damage due to internal or external, deliberate or accidental factors, which exposes business information under risks such as modification, exposure, damage or missing.
  • Ensure the completeness and availability of relevant business information and thus correctly carrying out the operation, and to protect security of information assets.