To effectively manage information security, the Corporate Information Security Organization hosts regular meetings every two weeks and examines the applicability of information security policy and protective measures according to the PDCA mechanism. Every year, Acer ensures the implementation is compliant with standards and protects confidentiality, integrity, and availability via internal and external audits. The ISMS focuses on the management of information security risk; mitigates the information security threats in terms of the systems, techniques, and processes; and establishes confidential information protection services that meet our customers’ requirements.
Apart from the ISMS, from 2021, Acer is making reference to the NIST Cybersecurity Framework (CSF) to enhance multi-layer information protection, covering the five major aspects of information security: identification, protection, detection, response, and recovery. Acer thus implements the cyber security life cycle risk management and gradually imports innovative information security techniques, incorporating information security control mechanisms into the maintenance of software and hardware and our daily operational procedures. In doing so, Acer systematically monitors our information security, leveraging NIST CSF to continuously evaluate its maturity.
Acer continues to respond to information security risks via third-party assessment and come up with corresponding correction plans. We also commission external specialists to conduct assessments of the maturity of our intranet and information security, ensuring our information security mechanism conforms to industry standards.
The blue line on the graph below represents the industry standard, which roughly fits a score of 84, a B level of maturity. The black line, meanwhile, represents Acer’s performance; apart from minor deductions due to information incidents in March and October of 2021, our performance has been growing and aligned with the standards of the industry.
Training and communication:
Acer has established comprehensive information security protection measures for our network and computers, but this cannot guarantee that the computer systems that support our business operation will be completely free from cyber attacks that could cause the loss of important Acer data. Malicious hackers or cyber attacks motivated by geopolitics may introduce viruses, destructive software, or ransomware to the Company’s network systems, interfering with Acer’s operations.
Acer has faced an attack from ransomware from a member of our staff accidentally clicking on a phishing mail, and we may face similar attacks in the future. To prevent damage from such attacks, Acer implements related corrective actions and continually works to optimize our practices. For instance, we have reduced the chances for phishing emails to make it to inboxes; strengthened firewall controls and Internet access to prevent malware from expanding to other zones; implemented multi-layer management of privileged accounts to prevent them from being hacked; introduced leading solutions for compliance auditing; imported new techniques to detect and handle malware; and routinely executed vulnerability scans & fixes and test staff awareness.
As such, Acer has set the following as the future focus of our information security:
