In pursuit of sustainable operation and the protection of our customers’ trust in us, Acer began implementing an information security management system in 2019. At the foundation of this ISMS is Acer’s information security policy, helping ensure the security of information assets and the continuity of information services, thus mitigating the threat from and impact of information security incidents.
This policy applies when accessing Acer IT’s information assets, IT systems, and infrastructure. It applies to all executives and employees of Acer IT, including contractors, consultants, temporary staff, trainees, and any other third parties working for Acer IT (referred to hereafter as “staff”).
The policy framework follows and is based on the following regulations:
This policy is reexamined at least once a year to check for legal compliance with the latest technology and business developments.
Acer implements various information security activities via the Corporate Information Security Management Organization and hosts management review meetings periodically to examine and decide information security guidelines and policy. The performance of information security management and related issues are also presented in these meetings to ensure the effectiveness of the ISMS, the protection of the Company’s intellectual properties, the protection of customers’ data, and the enhancement of staff’s information security awareness.
The Corporate Information Security Management Organization is supervised in terms of information security strategy by the Chairman & CEO and the Board via reporting in routine meetings, as well as by the Risk Management Committee. Through this, Acer is able to boost the efficiency of policy announcements and the mechanisms of cross-functional communication.
The Corporate Information Security Management Organization is led by the Head of Global IT, who has assigned the IT ISO & ITSM Office the primary role in implementing the ISMS and the Corporate Information Security Office the primary role in enhancing cyber security. AVPs and senior directors are assigned to be members of the Information Security Committee that appoints representatives to the Global Information Security Response Team, ISO Information Security Establishment Team, Information Security Audit Team, and Cyber Security Management Team, continuously optimizing the internal management of information security.
Acer’s Human Resource Security Guidelines serve as the management basis for urging all staff to understand the importance of information security and various potential information risks. These guidelines provide the rules for training and communication in information security and its management. The aim is to promote security awareness and compliance with information security while also reducing security incidents caused by malicious behavior, negligence, or lack of understanding of information security. The guidelines also illustrate the penalties and legal liabilities that may arise from violations of information security regulations, further elevating staff’s information security awareness and encouraging all members to abide by the rules of information security.
To ensure staff can respond promptly to and handle issues resulting from the impact of major system failures, negative human factors, or natural disasters, Acer holds annual vulnerability scans, penetration tests, and business continuity drills to examine the risk coefficient of all processes and establish recovery plans that strengthen the Company’s emergency response capability and tolerance against cyber attacks. The details of this are as below:
Acer annually examines OS and network equipment security issues to discover vulnerabilities in system operations in time via vulnerability scans, implementing follow-up fixes to prevent vulnerability to attacks.
Acer commissions a third-party cyber security institution to implement drills. The penetration test team tries to break through network or system defenses with minimal information, such as searching the issues of web page programs or operating systems, to obtain further permissions or access unauthorized data. From the results of these tests, Acer is able to understand security blind spots in the system building or programming process and thus take action to correct or prevent them, enhancing the security level of the enterprise network and reducing security risk.
Acer has set out the Information Security Continuity Management Guidelines to provide guidance to all units in Acer IT in implementing business continuity strategies during adverse situations. Acer follows ISO 27001 and ISMS to routinely execute drills to examine the effectiveness of business continuity drills. Meanwhile, the Company also evaluates the index of RTO, RPO, and service-level functions of all due systems to implement resource integration and business continuity, ensuring the effectiveness of systems and protecting the best interests of our customers and stakeholders.
To promote the implementation of ISMS in our daily maintenance and operation, the IT ISO & ITSM Office hosted an ISMS Workshop in 2022. The workshop covered information asset management, information account inventory, internal/external audits, and risk assessments, and Acer has also invited information security consultants to share related topics and trends to enhance the validity of ISMS and raise our staff’s awareness of ISMS.
Continuing to pass the third-party certification
24/11/2021 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
27/04/2022 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
13/09/2022 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 has been certified again and remains valid.