INFORMATION SECURITY
Information Security Policy
Our company has been certified under the ISO 27001:2022 Information Security Management System (ISMS) standard.
1. Purpose
To safeguard the confidentiality, integrity, and availability of information assets belonging to Chih Chiang Engineering Consultants Co., Ltd. (hereinafter referred to as “the Company”), ensure compliance with relevant laws and regulations, and protect users’ data privacy from intentional or accidental internal and external threats. The Company integrates information and communication security (ICS) objectives across all departments and establishes the following overall ICS policy goals:
1.1 Protect the Company’s business information from unauthorized access to ensure confidentiality.
1.2 Protect the Company’s business information from unauthorized modification to ensure accuracy and integrity.
1.3 Establish a business continuity plan to maintain uninterrupted operations and ensure availability.
1.4 Ensure the Company’s business activities comply with all applicable laws and regulations.
2. Scope of Application
This policy applies to all Company personnel, contractors, service providers, and visitors, all of whom must comply with this policy and related ICS management regulations.
To prevent incidents such as data misuse, leakage, alteration, or destruction caused by human error, malicious actions, or natural disasters — which could result in potential risks or harm to the Company — information security management is carried out through the following system:
In addition to the Information Security Policy, Statement of Applicability, and various Management Procedure Documents (such as Document Control, Risk Assessment, Audit, Corrective & Preventive Actions, ICS Objective Management, and Comprehensive Review Procedures), the Company also establishes a full suite of organizational, personnel, physical, and technical management procedures. These collectively define and implement information security control measures, as outlined below:
2.1 Organizational Control Measures:The Company implements a series of management procedure documents, including the Information Security Organization Management Procedure, Threat Intelligence Management Procedure, Information Asset Management Procedure, Access Control and Password Management Procedure, Supplier Relationship Management Procedure, Information Security Incident Management Procedure, Business Continuity Management Procedure, Regulatory Compliance Management Procedure, and Operational Security Management Procedure, among others.
These procedures collectively govern 37 organizational control measures related to information security operations, including:
Information Security Policy
Roles and Responsibilities in Information Security
Segregation of Duties
Management Responsibilities
Communication with Authorities
Communication with Special Interest Groups
Threat Intelligence
Information Security in Project Management
Inventory of Information and Associated Assets
Acceptable Use of Information and Other Associated Assets
Return of Assets
Information Classification and Labeling
Information Transfer
Access Control
Identity Management
Authentication Information
Access Rights
Information Security in Supplier Relationships
Information Security within Supplier Agreements
Managing Information Security in the ICT Supply Chain
Monitoring, Review, and Change Management of Supplier Services
Information Security in the Use of Cloud Services
Planning and Preparation for Information Security Incident Management
Assessment and Decision-Making of Information Security
Response to Information Security Incidents
Learning from Information Security Incidents
Evidence Collection
Information Security During Disruptions
ICT Readiness for Business Continuity
Legal, Regulatory, and Contractual Requirements
Intellectual Property Rights
Records Protection
Privacy and Protection of Personally Identifiable Information (PII)
Independent Review of Information Security
Compliance with Information Security Policies, Rules, and Standards
Documented Operating Procedures
These control measures ensure that the Company’s information security operations are implemented and maintained effectively in alignment with its overall information security management objectives.
2.2 Personnel Controls:Implemented through the Human Resource Security Management and Incident Management procedures, covering 8 control measures, including: Screening, employment terms and conditions, security awareness and training, disciplinary process, termination or role changes, confidentiality or non-disclosure agreements, remote work security, and incident reporting.
2.3 Physical Controls:Implemented through the Physical and Environmental Security Management procedure, covering 14 control measures, including: Physical security perimeters, entry control, secure offices and facilities, physical monitoring, protection against environmental threats, secure working areas, clear desk and screen policies, equipment placement and protection, off-site asset safety, media storage, utility support, cabling security, equipment maintenance, and secure equipment disposal or reuse.
2.4 Technical Controls:Implemented through Physical and Environmental Security, Access and Password Control, Operational Security, Network Security, and System Development & Maintenance procedures, covering 34 control measures, including: Endpoint device security, privileged access management, information access restrictions, source code access, secure authentication, capacity management, malware prevention, vulnerability management, configuration control, data deletion and masking, data loss prevention, backups, redundancy, logging and monitoring, time synchronization, privileged utilities, system installation, network security and segmentation, web filtering, cryptographic controls, secure development lifecycle, application security, system architecture design, secure coding, testing and validation, outsourcing development, environment segregation, change management, test data handling, and system protection during audits. This comprehensive policy ensures that Chih Chiang Engineering Consultants Co., Ltd. systematically manages information security across all organizational levels — maintaining robust protection of data, operations, and user trust.
3. Responsibilities
3.1 The Company has established an Information and Communication Security Committee (ICSC) responsible for coordinating and managing the formulation, implementation, operation, and resource allocation of information security policies, plans, and reviews.
3.2 Task groups are organized under the ICSC to develop and revise various management procedure documents according to the Company’s information security policy requirements. These groups ensure the effective operation of the Company’s Information Security Management System (ISMS). The implementation results of information security activities shall be submitted to the ICSC for management review at least once a year.
3.3 All departments of the Company shall comply with the information security regulations established by the ICSC.
3.4 All employees, remote system users outside the Company’s premises, and vendors undertaking the Company’s business shall comply with the Company’s information security policies and related management regulations.
3.5 Any act that endangers information security shall bear civil and criminal liability in accordance with the law and shall be subject to administrative sanctions based on the Company’s internal regulations.
4. Definition of Terms
None.
5. Operating Procedures
5.1 Review
5.2 Information Security Responsibilities
5.2.1 The information security policy shall be reviewed and evaluated during ICSC meetings at least annually to assess the effectiveness of its implementation.
5.2.2 The Company shall follow the Information Security Objectives Management Procedure (I-2-05) and use the Information Security Objectives Effectiveness Measurement Form (I-2-05-01) to periodically measure and review the performance of its information security objectives.
5.2.3 The Company shall follow the Organizational Panorama Analysis Procedure (I-2-19) and use the Organizational Panorama Analysis Identification Form (I-2-19-01) annually to perform a comprehensive analysis of information security within the organization. This process identifies internal and external issues that may affect the achievement of ISMS objectives and assesses the needs and expectations of interested parties concerning information security.
5.2.4 The Company shall define and review the Statement of Applicability (I-1-02) annually. This includes evaluating the ISMS scope and verifying the accuracy and appropriateness of included or excluded information security control measures and their justification.
5.2.5 The Company shall establish corresponding management procedures to standardize information security and personal data protection operations, ensuring compliance with relevant laws and regulations.
5.2.6 This policy shall take effect upon approval by the Information and Communication Security Committee, and any revisions shall follow the same approval process.
6. Forms and Related Documents
6.1 Related Documents
6.1.1 All levels of the Company’s Information Security Management documentation.
6.2 Forms
6.2.1 Organizational Panorama Analysis Identification Form (I-2-19-01)
6.2.2 Information Security Objectives Effectiveness Measurement Form (I-2-05-01)