Mobile Button

Information Security Intensification Action Plan

Corporate information security management strategy and framework

To effectively manage information security, the Corporate Information Security Organization hosts regular meetings every two weeks and examines the applicability of information security policy and protective measures according to the PDCA mechanism. Every year, Acer ensures the implementation is compliant with standards and protects confidentiality, integrity, and availability via internal and external audits. The ISMS focuses on the management of information security risk; mitigates the information security threats in terms of the systems, techniques, and processes; and establishes confidential information protection services that meet our customers’ requirements.

Apart from the ISMS, from 2021, Acer is making reference to the NIST Cybersecurity Framework (CSF) to enhance multi-layer information protection, covering the five major aspects of information security: identification, protection, detection, response, and recovery. Acer thus implements the cyber security life cycle risk management and gradually imports innovative information security techniques, incorporating information security control mechanisms into the maintenance of software and hardware and our daily operational procedures. In doing so, Acer systematically monitors our information security, leveraging NIST CSF to continuously evaluate its maturity.

Management Plan

Multi-layer Information Security Protection

Device security

  • Implement comprehensive EDR ( Endpoint Detection and Response ).
  • Implement endpoint antivirus measures to detect malwares.

Account management

  • Implement MFA ( Multi-factor authentication ) for staff to access Acer’s resources from the outside of the company.
  • Collaborate with the third-party to search for the accounts that are exposed to the dark web to actively change the credentials.

Cyber security

  • Enhance the control of network firewall and ACL (Access-control list).
  • Implement NAC ( Network Access Control ), prohibiting non-compliant devices from accessing Acer’s resources.

Application security

  • Execute the test on Internet-facing services and fix the vulnerability annually.
  • Inventory outdated and risky software and extensions to execute necessary updates.

Monitoring of Information Security Performance

Acer continues to respond to information security risks via third-party assessment and come up with corresponding correction plans. We also commission external specialists to conduct assessments of the maturity of our intranet and information security, ensuring our information security mechanism conforms to industry standards.

The blue line on the graph below represents the industry standard, which roughly fits a score of 84, a B level of maturity. The black line, meanwhile, represents Acer’s performance; apart from minor deductions due to information incidents in March and October of 2021, our performance has been growing and aligned with the standards of the industry.

Training and communication:

  • Routinely host training to enhance staff’s information security awareness.
  • Boost staff’s awareness of phishing attacks and implement detection of phishing emails.

Investments in the cyber security management

Performance of Information Security Implementation in 2021

Cyber Security Risks and Response Measures

Acer has established comprehensive information security protection measures for our network and computers, but this cannot guarantee that the computer systems that support our business operation will be completely free from cyber attacks that could cause the loss of important Acer data. Malicious hackers or cyber attacks motivated by geopolitics may introduce viruses, destructive software, or ransomware to the Company’s network systems, interfering with Acer’s operations. 
Acer has faced an attack from ransomware from a member of our staff accidentally clicking on a phishing mail, and we may face similar attacks in the future. To prevent damage from such attacks, Acer implements related corrective actions and continually works to optimize our practices. For instance, we have reduced the chances for phishing emails to make it to inboxes; strengthened firewall controls and Internet access to prevent malware from expanding to other zones; implemented multi-layer management of privileged accounts to prevent them from being hacked; introduced leading solutions for compliance auditing; imported new techniques to detect and handle malware; and routinely executed vulnerability scans & fixes and test staff awareness. 
As such, Acer has set the following as the future focus of our information security: 

  • No leakage of customers’ data. With multi-layer protection, hackers cannot access customer data even if Acer is under attack from ransomware. 
  • Enhance the comprehensive information security and monitoring mechanism. In doing so, we can make cyber attacks more difficult and thus lower the inclination of hackers to attempt them. Acer deploys endpoint detection and responsive software to ensure the visibility of any abnormal behaviors. 
  • Segregate internal systems and adopt a zero trust framework in the data centers of both regional offices and headquarters and enhance business continuity drills for information systems, mitigating the impact of attacks and enabling systems to recover within a tolerable time.