Information Security

Information Security Purpose

In the face of business competition and globalization, information security and the protection of operational data are important cornerstones for sustainable development and maintaining core competitiveness. To ensure the stability, security, and availability of information systems, TCC is committed to strengthening information security management mechanisms and defense capabilities, establishing a secure and reliable computerized operating environment, ensuring the security of systems, data, equipment, and networks to protect the Company's important information assets and ensure the normal operation of information systems.

The Scope and Target of Information Security

Applicable to TCC Group and its domestic and overseas subsidiaries, Taiwan-invested companies, and other group-affiliated enterprises with substantial control capabilities. The scope includes employees at all operational sites and outsourced vendors, contracted suppliers, and dispatched suppliers who have access to the Group's internal information.

Information Security Risk Framework

Applicable to TCC Group and its domestic and overseas subsidiaries, Taiwan-invested companies, and other group-affiliated enterprises with substantial control capabilities. The scope includes employees at all operational sites and outsourced vendors, contracted suppliers, and dispatched suppliers who have access to the Group's internal information.

Establish an information security management system and cross-departmental information security committee

In 2020, TCC established and implemented an information security management system based on the ISO/IEC 27001:2013 international standard, adopting the PDCA cycle operation model. The President convened and formed a cross-departmental Information Security Management Committee, which meets annually to review the effectiveness of information security planning and implementation, make key decisions, and coordinate the necessary resource allocation.

Information Security Management Team

Under the Information Security Management Committee, an Information Security Management Team is established, which is mainly responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving the information security management system, and reporting related issues to the Information Security Management Committee.

Regular reviews and reporting

The Information Security Management Team regularly meets to review implementation and annually reports the results and reviews to the Board of Directors.

Strengthen information security system

On April 11, 2022, the Board of Directors resolved and announced the establishment of the Chief Information Security Officer position and the Information Security Department. The Department consists of one dedicated information security supervisor and two dedicated information security members. Their primary responsibilities include the overall information security structure, managing operations and monitoring, and handling internal and external information security incident response and investigation for the TCC Group. They regularly report work progress to the Chief Information Security Officer, who in turn reports to the Chairman and President of TCC Group. In response to the development of AI, TCC has referred to the Bletchley Declaration and the Frontier AI Safety Commitments, and has been closely following the outcomes of the AI Action Summit to continuously improve and refine its AI policies.

Information Security Policy and Management Program

Information Security Objectives
  1. Maintain the stability of TCC Group's business operations, avoiding operational losses caused by system interruptions or other information security incidents.
  2. Implement appropriate protective measures for sensitive data such as TCC Group's trade secrets to minimize the impact and risk of information security incidents including damage, theft, leakage, tampering, misuse, and infringement.
  3. Continuously enhance the confidentiality, integrity, and availability of various information assets within the TCC Group.
Management Program
  1. In 2022, joined the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) and the threat intelligence centers of major cybersecurity companies such as Trend Micro, receiving threat intelligence via email periodically, assessing whether internal equipment or software is exposed to threats, and requiring responsible personnel to implement timely patches within specified deadlines.
  2. In 2024, TCC has five dedicated information security personnel and 30 information security support team members. Regular information security education, training, and social engineering drills are conducted to raise awareness among all TCC Group members, ensuring that all employees develop a strong sense of security responsibility.
  3. As of October 2024, a total of 42 weekly security meetings, nine monthly security meetings, and two quarterly security meetings have been held, actively discussing security tool applications, the current status of security projects, and security personnel allocation.
  4. In response to TCC's active transformation, we emphasize trade secret protection measures for the energy business and strengthen information security control measures, such as implementing data non-persistence, centralized control of sensitive data, and enhanced security measures for remote work.
  1. TCC Group obtained ISO/IEC 27001:2013 international information security standard certification in 2021 and passed the ISO/IEC 27001:2022 version transition certification in December 2023. The certification is valid from January 2024 to January 2027.
  2. Information security protection is everyone's responsibility. To promote awareness among TCC Group employees, social engineering drills and information security education training are regularly held each year. In 2024, a total of four social engineering drills and two information security-related training sessions were conducted, covering recent topics such as AI-related security incidents. These efforts aim to strengthen employees' awareness of information security and prevent social engineering attacks that could lead to security breaches.
  3. Information security policies and regulations are reviewed annually. In 2023, the information security policy was revised, and in 2024, HR communicated the information security policy and requirements to all employees across the Group.
  4. All TCC Group employees, outsourced vendors, and their partner companies must sign confidentiality agreements to ensure that those who access TCC Group's information services or related business are responsible for protecting the information assets they obtain or use, preventing unauthorized access, alteration, destruction, or improper disclosure.
  5. Information asset inventories are counted annually, with risk management and improvement conducted according to the information security risk assessment mechanism to uphold the principle of information security management. Regular use of asset software and hardware inventory tools allows for effective tracking of software and hardware usage information, preventing unauthorized software installations or the use of software that infringes on intellectual property rights.
  6. System access rights for core business systems are reviewed each year and permissions are granted according to the Need-to-use principle. High-privilege accounts are controlled through the Privileged Access Management (PAM) system.
  7. Mobile One-Time Password (MOTP) system has been implemented as a two-factor authentication mechanism, using fingerprint recognition for login to reduce the risk of password forgetting or being compromised.
  8. Vulnerability scanning tools have been implemented and operations are regularly performed on the Group's core systems. Any medium to high-risk vulnerabilities discovered must be patched, with continuous tracking and re-scanning until no medium to high risks remain.
  9. Core business systems and equipment are equipped with real-time monitoring and alert mechanisms (PRTG), enabling immediate notification to system administrators for emergency handling if the event of any anomalies. Appropriate backup or redundancy mechanisms are implemented and regularly drilled to maintain the availability of core business systems. Vulnerability scanning and penetration testing are performed regularly to identify vulnerabilities in the system and patch them promptly.
  10. Disaster recovery (DR) drills for core systems are performed annually to ensure that systems can seamlessly transition and operate normally from alternate data centers.
  11. All personal computers used in the office are installed with antivirus software, with regular system updates and virus definition updates to reduce the risk of hacker attacks and the threat of ransomware.
  12. TCC Group has fully implemented Deep Discovery Inspector (DDI) for malicious connection and internal spread protection, and Endpoint Detection and Response (EDR), along with Managed Detection and Response (MxDR) services, where external expert teams assist in monitoring the security of endpoint devices across the Group.
  13. Operational Technology (OT) protection measures have been implemented to protect production line safety and prevent equipment infection that could lead to operational interruptions. Antivirus USB drives have been purchased to scan new production equipment for suspicious viruses before connecting them to the internal network.
  14. Sensitive file encryption systems have been implemented to protect core business data and prevent hackers from stealing trade secrets that could impact TCC Group's operations.
  15. Strict control of TCC Group's external file transmission channels, including portable devices (such as USB), cloud storage, instant messaging (IM) software, File Transfer Protocol (FTP), and email delivery mechanisms.
  16. Network security operations have been established and maintained, including firewall management, secure remote connection settings (VPN), intrusion detection and prevention mechanisms, WAF (Web Application Firewall), and internet usage monitoring, all aimed to reduce the risk of external hacker intrusions.
  17. Regular review of the audit trails of core systems and equipment to ensure there are no abnormal internal or external access activities.
  18. Establishment of standard procedures for information security incident response and reporting to properly handle information security incidents and prevent further escalation of damage.
  19. Regular implementation of internal and external audits to monitor compliance with information security systems, and taking corrective preventive measures for audit findings.

Information Security Control Measures

TCC Group has established the TCC Group Information Security Policy, which is available in the

Investors - Company Regulations」section.

TCC Group Information Security Related Certificates

ISO/IEC 27001:2022