Corporate Governance

Information Security Management

Information Security Management Organization Vision

In recent years, increased government and industry regulatory oversight has required companies to comply more rigorously with relevant laws and standards. ASUS remains committed to risk assessment and management, strengthening both internal controls and external collaborations, enhancing employee awareness of information security, and closely monitoring the evolution of emerging technologies and threats to address the ever-changing challenges in information security. ASUS is dedicated to advancing information security governance by fully implementing ISO 27001 Information Security Management, ISO 27701 Privacy Information Management, ISO 27017 Cloud Service Information Security Controls, and ISO 27018 Protection of Personal Data in Public Clouds. In product development processes, ASUS adopts international best practices for the Secure Software Development Life Cycle (SSDLC) and Secure Hardware Development Life Cycle (SHDLC) to enhance overall digital operational resilience.

In May 2020, ASUS established the Information Security Committee, formulating the ASUS Group Information Security Policy under the supervision of the Chairman. The following year, in September 2021, ASUS appointed a Chief Information Security Officer (CISO) and established a dedicated information security unit—the Digital Security Center—responsible for comprehensive planning and promotion of information and product security initiatives. Guided by the vision of “Building Digital Resilience, Enhancing Brand Trust. Pursuing Excellence in Security,” ASUS aims to be a robust support for its subsidiaries, customers, and supply chain partners. Each year, the CISO reports to the Board of Directors on group information security risks and the progress of related initiatives.

Four Major Management Domains of the ASUS Digital Security Center:

  1. Focus on information security management, risk assessment, and compliance issues within the organization and throughout the external supply chain.
  2. Real-time monitoring of internal and external information operation environment security threats and incident response actions.
  3. Promotion of product security engineering to enhance the information security of ASUS products and services.
  4. Assess configuration settings and architectural design risks for various cloud services or generative AI platforms and tools used by ASUS, and strengthen related security controls.

Four Main Action Themes and Policies

Information Security Management Performances in 2024

Information Security Governance

The Information Security Committee is dedicated to promoting the information security management system, establishes management procedures in line with international standards, and plans, executes, and reviews internal information security activities. To ensure the ongoing effectiveness and compliance of the information security management system, it also regularly conducts internal audits and external validations of all activities.

Information Security Promotion

Incident investigation, improvement, and response exercises are conducted to evaluate the group’s information security defense level. Social engineering drills are carried out in accordance with standards from the National Cyber Security Report of the Executive Yuan, primarily to prevent business email compromise. Global onboarding and in-service employees receive general information security training, with course materials available in 18 languages. The company’s Information Security 10 Rules are regularly promoted and incorporated as mandatory content in annual and new employee information security training to reinforce the idea that information security is everyone’s responsibility. Should an information security event occur, employees can report it to the Information Security Incident Response Team via the information security mailbox.  This team comprises members from the Digital Security Center, information security representatives from various departments, and members from the legal affairs and public relations departments to ensure comprehensive and timely event handling.

Digital Resilience

In 2021, the “High-Tech Information Security Alliance” was established, aiming to enhance defensive capabilities through regular exchanges within the alliance. In 2022, the cross-industry “Taiwan Chief Information Security Officer Alliance” was formed to improve industry cybersecurity resilience. To strengthen product security development, relevant Open Source testing mechanisms were introduced to research and development units, and policies were formulated and implemented. Additionally, Open Source SSDLC & License educational training was conducted for the R&D teams. In 2024, ASUS Group invested in critical national information infrastructure projects. In addition to the ongoing construction of the “Forerunner 1” supercomputer at the National Center for High-performance Computing, ASUS also participated in national projects, the Pioneering AI Computing Service Platform (“Pioneering One”) and the AI Cloud Computing Service Platform (“Pioneering Two”). Leveraging the group's cybersecurity capabilities, ASUS assists these national-level projects in planning their information security defenses, ensuring that essential national computing platforms meet the required cybersecurity protection standards.

Risk Management

ASUS monitors all aspects of digital security risk, assisting internal units in conducting business continuity plans. This includes implementing BCM risk assessments, risk management, and crisis response plans, as well as monitoring the execution of these exercises. The goal is to enhance ASUS's overall resilience, mitigate risks, and, importantly, ensure the effectiveness of security incident response and handling by operations and monitoring teams.

Personal Data Protection Committee

To promote the protection and management of personal data for global consumers and ASUS employees, ASUS established the Personal Data Protection Committee (hereinafter referred to as PDPC ) in 2021. Internally, the “General Personal Data Protection Policy” serves as the guideline for the collection, processing, and use of personal information across ASUS products and services (e.g., computers, software, official websites, customer support, etc.). Externally, ASUS publishes a “Privacy Protection Policy ” on its website to inform the public and consumers about its data protection practices. For business partners involved in the collection, processing, or use of personal data, ASUS ensures compliance with data protection regulations through contractual agreements.

To ensure effective policy implementation, certain ASUS services obtained ISO 27701 Privacy Information Management and ISO 27018 Public Cloud Personal Data Protection certifications in 2023 to reinforce systematic privacy management. The PDPC follows a risk management process that includes regular data inventory, improvement actions, periodic policy reviews and training, incident response and reporting, and annual internal audits. By the end of 2024, 358 regular PDPC meetings had been held.

PDPC Key Achievements in 2024

Data inventory review

Continue to examine the nature of data collected, processed and used by the company to ensure the scope of regulatory compliance.

Process improvement

The Committee elaborates to the relevant departments on the data processing procedures that shall be modified and improved to be in accordance with personal data protection laws in response to the update of products or services.

Privacy policy review

Adjust the ASUS Privacy Policy for each country in response to regulations from different jurisdictions if needed.

Education and training

In 2024, three training sessions were held for domestic and overseas employees, including both in-person and online courses, as part of the annual data protection awareness program.​

Handle the request and inquiry of data subjects and supervisory authorities

The Committee is the central contact point for handling requests and inquiries of data subjects and supervisory authorities. ASUS shall respond to the requests from data subjects within the statutory period by law. The Committee collaborates with the relevant departments to handle requests and responds to the data subjects to fulfill the regulatory obligations. Inquiries from the supervisory authorities are also handled with the same approach to mitigate legal risks.

Annual internal audit

The responsible departments involved in the management of personal data are included in the scope of audit to cooperate the company's internal audit. With internal self assessment conducted by the departments, examination of service providers' practices conducted by the departments, and audits conducted by auditors, the Committee provides corrective measures and improvement approaches on non-compliant items to assist the responsible departments or service providers to improve their practices to ensure the full implementation of the company's policies and relevant management procedures.

PDPC Key Plans in 2025

  • Continue reviewing and improving compliance in response to changes in personal data regulations worldwide.
  • Enhance data protection training and communications for domestic and overseas units to deepen understanding and compliance.

Data Protection Measures or Regulations

  • Ensure confidentiality of relevant business information, prevent sensitive information and customer private information from various threats and damage due to internal or external, deliberate or accidental factors, which exposes business information under risks such as modification, exposure, damage or missing.
  • Ensure the completeness and availability of relevant business information and thus correctly carrying out the operation, and to protect security of information assets.