Corporate Governance

Information Security Management

Information Security Management Organization Vision

After the rapid progress of digital transformation, the application of emerging technologies, including cloud services, the Internet of Things, and generative AI, has expanded, creating new threats of cyberattacks, as well as the continuous impact of supply chain cybersecurity on enterprise business continuity. In addition, the evolution of attacks, such as ransomware and social engineering, has caused great damage to numerous organizations. Lastly, as the government and industry tighten their oversight measures, companies are required to comply with applicable laws, regulations, and standards. Against this backdrop, ASUS continues to implement risk assessment and management, strengthen internal control mechanisms and external collaboration, and raise cybersecurity awareness among employees. In response to the ever-changing cybersecurity challenges, the company is also constantly monitoring the development of emerging technologies and the threats they pose.

Jonney Shih, Chairman of ASUS, instructed the establishment of the Information Security Committee in May 2020, which reports to the Chairman and implements the information security strategy as directed by the Chairman. The Information Security Committee's monthly meeting is attended by Ted Hsu, Vice Chairman of ASUS, and S.Y. Hsu and Samson Hu, Co-CEOs of ASUS, who are all members of the Board of Directors. They are leading the Committee on several information security projects. The projects include supply chain information security, privacy protection and cloud service security based on the ISO management standards, and internal coordination required to achieve relevant information security compliance. In addition, in September 2021, ASUS appointed the Chief Information Security Officer (CISO). In the same year, the company also established a dedicated information security team, the Digital Security Center, which is responsible for comprehensive planning and strengthening of information security and product security. With the vision of "Building Digital Resilience, Enhancing Brand Trust. Pursuing Excellence in Security," the Digital Security Center serves as a powerful support for the company's subsidiaries, customers, and supply chain partners. The CISO reports annually to the Board of Directors on ASUS' information security risk and project performance and results delivered by the Digital Security Center.

As the global information security challenges are intensifying, requiring cross-border support and collaboration between the public and private sectors, Jonney Shih instructed the CISO to meet with public sector officials and expressed our willingness to take the lead in bringing various sectors together. Later, in July 2021, ASUS established the High-Tech Information Security Alliance with the help of the Taiwan Network Information Center (TWNIC) and Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), and in April 2022, with the help of the Taipei Computer Association, the company established the Taiwan Chief Information Security Officer Alliance, which is currently the largest user-centric information security alliance with about 190 company members whose total annual revenue exceeds NT$15 trillion.

This is the governance structure of the Information Security Committee
This is the four main action themes and policies of ASUS information security

Information Security Management Performances in 2024

Information Security Governance

The Information Security Committee is dedicated to promoting the information security management system, establishes management procedures in line with international standards, and plans, executes, and reviews internal information security activities. To ensure the ongoing effectiveness and compliance of the information security management system, it also regularly conducts internal audits and external validations of all activities.

Information Security Program

Incident investigation, improvement, and response exercises are conducted to evaluate the group’s information security defense level. Social engineering drills are carried out in accordance with standards from the National Cyber Security Report of the Executive Yuan, primarily to prevent business email compromise. Global onboarding and in-service employees receive general information security training, with course materials available in 18 languages. The company’s Information Security 10 Rules are regularly promoted and incorporated as mandatory content in annual and new employee information security training to reinforce the idea that information security is everyone’s responsibility. Should an information security event occur, employees can report it to the Information Security Incident Response Team via the information security mailbox.  This team comprises members from the Digital Security Center, information security representatives from various departments, and members from the legal affairs and public relations departments to ensure comprehensive and timely event handling.

Digital Resilience

In 2021, the “High-Tech Information Security Alliance” was established, aiming to enhance defensive capabilities through regular exchanges within the alliance. In 2022, the cross-industry “Taiwan Chief Information Security Officer Alliance” was formed to improve industry cybersecurity resilience. To strengthen product security development, relevant Open Source testing mechanisms were introduced to research and development units, and policies were formulated and implemented. Additionally, Open Source SSDLC & License educational training was conducted for the R&D teams. In 2022, led the efforts in establishing the Taiwan Chief Information Security Officer Alliance, which now has more than 100119 publicly traded or OTC companies as members to improve the information security resilience of domestic industries jointly. In 2023, ASUS invested in the construction of national critical information infrastructure, including the establishment of the National Center for High-Performance Computing - “Taiwania-4” supercomputer project, ensuring that the country’s critical computing platforms meet the National Cybersecurity Grade A Protection level.

Risk Management

ASUS monitors all aspects of digital security risk, assisting internal units in conducting business continuity plans. This includes implementing BCM risk assessments, risk management, and crisis response plans, as well as monitoring the execution of these exercises. The goal is to enhance ASUS's overall resilience, mitigate risks, and, importantly, ensure the effectiveness of security incident response and handling by operations and monitoring teams.

Personal Data Protection Committee

ASUS established the "Personal Data Protection and Information Security Committee" in April 2012 according to the instruction from the top management to formulate the company's policy on personal data use and handle relevant matters. In response to regulatory changes and reorganization, the above committee has changed to the "Personal Data Protection Committee" (Hereinafter referred to as "the Committee") in 2018, and the Committee has released a new company's policy named the "General Personal Data Protection Policy" and implemented it internally. The Policy is used as guideline on the collection, processing and use of personal data collected through ASUS products and services (such as computers, software, official websites, customer support services and others). The Committee published the "ASUS Privacy Policy" on ASUS official website to let the general public and consumers aware of how ASUS protects and manages their personal data.

In order to ensure the full implementation of the company's policies, the Committee holds regular bi-weekly meeting to implement and review annual objectives, and calls irregular meetings from time to time to adjust implementation measures and handle personal data relevant events. By the end of 2023, the Committee has held 320 regular meetings.

Main Accomplishments of the Personal Data Protection Committee in 2023

Data inventory review

Continue to examine the nature of data collected, processed and used by the company to ensure the scope of regulatory compliance.

Process improvement

The Committee elaborates to the relevant departments on the data processing procedures that shall be modified and improved to be in accordance with personal data protection laws in response to the update of products or services.

Privacy policy review

Adjust the ASUS Privacy Policy for each country in response to regulations from different jurisdictions if needed.

Education and training

Education and training sessions are held annually to ensure all employees understand the company's policy. In 2023, 6 sessions were provided to employees in headquarters and in overseas offices.​

Handle the request and inquiry of data subjects and supervisory authorities

The Committee is the central contact point for handling requests and inquiries of data subjects and supervisory authorities. ASUS shall respond to the requests from data subjects within the statutory period by law. The Committee collaborates with the relevant departments to handle requests and responds to the data subjects to fulfill the regulatory obligations. Inquiries from the supervisory authorities are also handled with the same approach to mitigate legal risks.

Annual internal audit

The responsible departments involved in the management of personal data are included in the scope of audit to cooperate the company's internal audit. With internal self assessment conducted by the departments, examination of service providers' practices conducted by the departments, and audits conducted by auditors, the Committee provides corrective measures and improvement approaches on non-compliant items to assist the responsible departments or service providers to improve their practices to ensure the full implementation of the company's policies and relevant management procedures.

Main plan for Personal Data Protection Committee in 2024

  • Review and improve the Company's compliance procedures in response to new legislation in Asia-Pacific and Americas.
  • Add overseas audits and assist related authorities in performing supplier audits.

Data Protection Measures or Regulations

  • Ensure confidentiality of relevant business information, prevent sensitive information and customer private information from various threats and damage due to internal or external, deliberate or accidental factors, which exposes business information under risks such as modification, exposure, damage or missing.
  • Ensure the completeness and availability of relevant business information and thus correctly carrying out the operation, and to protect security of information assets.