Information Security | ACER ESG
Information Security Policy
In pursuit of sustainable operation and the protection of our customers’ trust in us, Acer began implementing an information security management system in 2019. At the foundation of this ISMS is Acer’s information security policy, helping ensure the security of information assets and the continuity of information services, thus mitigating the threat from and impact of information security incidents.
This policy applies when accessing Acer IT’s information assets, IT systems, and infrastructure. It applies to all executives and employees of Acer IT, including contractors, consultants, temporary staff, trainees, and any other third parties working for Acer IT (referred to hereafter as “staff”).
- Ensure that Acer’s information assets are protected from any external interference, destruction, attacks, or any impact from other destructive or negative behaviors.
- Ensure Acer is compliant with relevant laws.
- Ensure the continuity of information services.
The policy framework follows and is based on the following regulations:
Trade secrets laws, e.g., the US Defend Trade Secrets Act (DTSA), Taiwan Trade Secrets Acts, and similar laws in other jurisdictions.
Privacy protection laws, e.g., the EU General Data Protection Regulation (GDPR), Taiwan Personal Information Protection Act, and similar laws in other jurisdictions.
This policy is reexamined at least once a year to check for legal compliance with the latest technology and business developments.
Information Security Management Focuses and Achievements
- E-commerce system accredited by ISO27001
- Pan-European IT promotes a key core system to follow ISO27001
- Global introduction of MDR (Managed detection and response) threat detection response and compliance detection defense mechanism to significantly strengthen global information security defense capabilities
- Establish a global vulnerability management dashboard for real-time monitoring, quickly overview the information needed for risk control, and further develop standards for remediation to reduce risk
- Create a global defense and detection dashboard to provide a real-time overview of information security risks
Implement information security management and cultivate a strong security culture
Acer is committed to implementing information security management and cultivating a deep understanding of the purpose behind security activities. To enhance the awareness of information personnel and ensure that frontline employees executing security activities are well-informed, Acer organizes the annual ISMS Workshop and security activity briefings. This ensures that they have the knowledge to act accordingly and continuously provide recommendations to the management departments for optimizing future security implementation plans. This creates a positive cycle of security and fosters a culture of information security within the organization.
Information Security Management Organization
Acer implements various information security activities via the Corporate Information Security Management Organization and hosts management review meetings periodically to examine and decide information security guidelines and policy. The performance of information security management and related issues are also presented in these meetings to ensure the effectiveness of the ISMS, the protection of the Company’s intellectual properties, the protection of customers’ data, and the enhancement of staff’s information security awareness.
The Corporate Information Security Management Organization is supervised in terms of information security strategy by the Chairman & CEO and the Board via reporting in routine meetings, as well as by the Risk Management Committee. Through this, Acer is able to boost the efficiency of policy announcements and the mechanisms of cross-functional communication.
The Corporate Information Security Management Organization is led by the Head of Global IT, who has assigned the IT ISO & ITSM Office the primary role in implementing the ISMS and the Corporate Information Security Office the primary role in enhancing cyber security. AVPs and senior directors are assigned to be members of the Information Security Committee that appoints representatives to the Global Information Security Response Team, ISO Information Security Establishment Team, Information Security Audit Team, and Cyber Security Management Team, continuously optimizing the internal management of information security.
Information Security Training
Acer’s Human Resource Security Guidelines serve as the management basis for urging all staff to understand the importance of information security and various potential information risks. These guidelines provide the rules for training and communication in information security and its management. The aim is to promote security awareness and compliance with information security while also reducing security incidents caused by malicious behavior, negligence, or lack of understanding of information security. The guidelines also illustrate the penalties and legal liabilities that may arise from violations of information security regulations, further elevating staff’s information security awareness and encouraging all members to abide by the rules of information security.
Besides the existing ISA training, to implement the key information security work of Acer’s IT personnel, IT ISO & ITSM Office (ISO Office) of Acer Global IT regularly organizes ISMS workshops of information system account inventory, business impact analysis, objective effectiveness measurement, risk assessment and other key ISMS work items. ISO Office publishes ISMS Workshop presentation slides, FAQs, and teaching video materials to ensure information security work can keep pace with the times.
Results and Statistics
Feedback and Action Plan
Information Security Drill
To ensure staff can respond promptly to and handle issues resulting from the impact of major system failures, negative human factors, or natural disasters, Acer holds annual vulnerability scans, penetration tests, and business continuity drills to examine the risk coefficient of all processes and establish recovery plans that strengthen the Company’s emergency response capability and tolerance against cyber attacks. The details of this are as below:
Acer regularly conducts annual disaster response drills for fire, power outage, earthquake, etc. In addition, Acer also conducts quarterly drills for the core systems (including the ERP system, order management system, and accounting system) and more than 100 sub-systems to implement different levels of recovery control measures according to the plan, so as to minimize the impact of a disaster.
Acer annually examines OS and network equipment security issues to discover vulnerabilities in system operations in time via vulnerability scans, implementing follow-up fixes to prevent vulnerability to attacks.
Acer commissions a third-party cyber security institution to implement drills. The penetration test team tries to break through network or system defenses with minimal information, such as searching the issues of web page programs or operating systems, to obtain further permissions or access unauthorized data. From the results of these tests, Acer is able to understand security blind spots in the system building or programming process and thus take action to correct or prevent them, enhancing the security level of the enterprise network and reducing security risk.
Business continuity drills
Acer has set out the Information Security Continuity Management Guidelines to provide guidance to all units in Acer IT in implementing business continuity strategies during adverse situations. Acer follows ISO 27001 and ISMS to routinely execute drills to examine the effectiveness of business continuity drills. Meanwhile, the Company also evaluates the index of RTO, RPO, and service-level functions of all due systems to implement resource integration and business continuity, ensuring the effectiveness of systems and protecting the best interests of our customers and stakeholders.
2023 Information Security Management Focus
- Assist Acer EMEA IT to achieve ISO27001 certification.
- To maintain best practices for Acer's information security compliance, we will conduct education and training for key members of the organization on the ISO 27001:2022 version changes and revise relevant information security policies and guidelines to fully prepare for the migration.
- To improve the auditor's mastery of the audited system, we plan to create ISMS system profiles for each audited system.
- Automate operations such as information account inventory and asset inventory.
- Strengthen information security control policies, processes and frameworks, and establish standards to identify information security maturity.
- Strengthen network firewall and network control to prevent malware from spreading horizontally across the network through network architecture micro-segmentation.
- Introduce a multi-level control mechanism for privileged accounts to prevent leakage of privileges.
- Introduce endpoint management mechanism to manage, protect and deploy enterprise resources and applications.
- Perform regular information security drills and continuously optimize the mechanism.
- Build cloud information security automation control framework.
- Enhance backup effectiveness and provide a recovery solution that can be rebuilt quickly.
2022 Information Security Events
Continuing to pass the third-party certification
- 24/11/2021 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
- 27/04/2022 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
- 13/09/2022 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 has been certified again and remains valid.