Information Security Management

Organization Structure and Management Policy

Numerous emerging technologies have appeared during the COVID-19 pandemic. They create brand-new work settings which bring unprecedented challenges for information management and product security. ASUS established the Information Security Management Committee and assigned the CEO to oversee the management, to respond to the increasingly severe challenges and to enhance the corporate sustainable development. The Information Security Management Committee launched the ISO 27001 to create management procedures to meet international standards. Internal information security activities were planned, executed, and reviewed, to verify the activities and relevant results, meeting the targets and requirements of the information security management system.

Using the Information Security Management System as the basis, ASUS appointed the Chief Information Security Officer (CISO) and set up a new dedicated unit - Digital Security Division in September 2021. The Company devoted in comprehensive plans and implementation of information security and product security with the aim of "building digital resilience, increasing brand trust; pursuing excellence, and ensuring security". We aim to become a supportive party for our subsidiaries, suppliers, and supply chain partners.

Three major management areas

  1. Focus on governance issues such as information security management in corporate and in supply chain, risks, and compliance
  2. Implement real-time monitoring of security threats in the internal and external information operating environment and provide contingency measures when incidents occur
  3. Launch safety engineering projects to strengthen the information security of ASUS products and services


Structure of Information Security Management and Actions

Please click here for details.

Information Security Management Performances in 2021

ASUS Leads the Collective Defense in the Industry

The "High-Tech Information S ecurity Alliance" was established in 2021 and ASUS' Chief Information Security Officer (CISO) served as the first Chairman. The Chairman represents companies in the Alliance and visited gover nment institutions to maintain positive interactions and support development in the industry. ASUS was glad to learn that the Legislative Yuan will pass the legislation for including "information security products or ser vices" in tax credits in the third reading in 2022. With the suppor t and assistance of government authorities, the measure could help the industry accelerate investments in information security and increases the reliability of the industry in the global supply chain.

Companies and the industry collaborate with external entities, government authorities, and international bodies and expanded the collective defense from internal organization and group to the industr y. This trend deser ves attentions from the industry.

Response to the Cyclops Blink Incident

With regard to the intrusion of Cyclops Blink into ASUS routers in March, 2022, Trend Micro discovered that the Russian Botnet Formula, Cyclops Blink, had targeted and infected ASUS routers. According to ASUS' research, the Botnet Formula only worked on devices with old firmware released before 2021. ASUS announced the results of the study in the Security Advisor y at the same time as the publication of the research by Trend Micro. To enhance the securit y of routers, at the end of March ASUS has released the updated firmware for the devices that were being attacked to strengthen security measures, and will implement the same protection mechanisms to other devices.s

Personal Data Protection Committee

ASUS established the "Personal Data Protection and Information Security Committee" in April 2012 according to the instruction from the top management to formulate the company's policy on personal data use and handle relevant matters. In response to regulatory changes and reorganization, the above committee has changed to the "Personal Data Protection Committee" (Hereinafter referred to as "the Committee") in 2018, and the Committee has released a new company's policy named the "General Personal Data Protection Policy" and implemented it internally. The Policy is used as guideline on the collection, processing and use of personal data collected through ASUS products and services (such as computers, software, official websites, customer support services and others). The Committee published the "ASUS Privacy Policy" on ASUS official website to let the general public and consumers aware of how ASUS protects and manages their personal data.

In order to ensure the full implementation of the company's policies, the Committee holds regular bi-weekly meeting to implement and review annual objectives, and calls irregular meetings from time to time to adjust implementation measures and handle personal data relevant events. By the end of 2021, the Committee has held 270 regular meetings.

Main accomplishments of the Personal Data Protection Committee in 2021:

  • Regulatory compliance management for the personal data protection laws:
    • Data inventory review
      Continue to examine the nature of data collected, processed and used by the company to ensure the scope of regulatory compliance.
    • Process improvement
      The Committee elaborates to the relevant departments on the data processing procedures that shall be modified and improved to be in accordance with personaldata protection laws in response to the update of products or services.
    • Privacy policy review
      Adjust the ASUS Privacy Policy for each country in response to regulations from different jurisdictions if needed.
    • Education and training
      Education and training sessions are held annually to ensure all employees understand the company's policy. In 2021, 8 sessions were provided to employees in headquarters and in overseas offices.
    • Handle the request and inquiry of data subjects and supervisory authorities
      The Committee is the central contact point for handling requests and inquiries of data subjects and supervisory authorities. ASUS shall respond to the requests from data subjects within the statutory period by law. The Committee collaborates with the relevant departments to handle requests and responds to the data subjects to fulfill the regulatory obligations. Inquiries from the supervisory authorities are also handled with the same approach to mitigate legal risks.
  • Annual internal audit
    The responsible departments involved in the management of personal data are included in the scope of audit to cooperate the company's internal audit. With internal selfassessment conducted by the departments, examination of service providers' practices conducted by the departments, and audits conducted by auditors, the Committee provides corrective measures and improvement approaches on non-compliant items to assist the responsible departments or service providers to improve their practices to ensure the full implementation of the company's policies and relevant management procedures.
  • Annual vulnerability scanning on personal data related websites
    In order to reinforce security of websites and consumer data, the Committee requires the Enterprise Intelligence Data Development Center to implement vulnerability scanning on websites which provide external services and collect personal data. Based on vulnerability scanning evaluation report issued by the Center, the Committee conducts the tracking of vulnerability correction progress and audits the implementation of vulnerability management. The responsible department is required to improve on non-compliant items within a limited time period.
  • Education and training
    • Regular in-person classes: Training courses on personal data protection are offered to all employees annually.
    • Non-scheduled classes: Provide specific sessions on personal data protection based on the needs of each department.

Main plan for Personal Data Protection Committee in 2022

  • Continue to improve the interface for individual parties to file personal data requests as well as internal procedures
  • Review and improve company's degree of compliance in response to new legislation in countries such as Thailand and Vietnam
  • Increase overseas audits and assist related departments in performing supplier audits

To ensure that information security measures or specifications comply with requirements of existing laws, the information security policy is reviewed annually:

  • Ensure confidentiality of relevant business information, prevent sensitive information and customer private information from various threats and damage due to internal or external, deliberate or accidental factors, which exposes business information under risks such as modification, exposure, damage or missing.
  • Ensure the completeness and availability of relevant business information and thus correctly carrying out the operation, and to protect security of information assets.