Information Security | ACER ESG
Information Security
Information Security Policy
In pursuit of sustainable operation and the protection of our customers’ trust in us, Acer began implementing an information security management system in 2019. At the foundation of this ISMS is Acer’s information security policy, helping ensure the security of information assets and the continuity of information services, thus mitigating the threat from and impact of information security incidents.
This policy applies when accessing Acer IT’s information assets, IT systems, and infrastructure. It applies to all executives and employees of Acer IT, including contractors, consultants, temporary staff, trainees, and any other third parties working for Acer IT (referred to hereafter as “staff”).
- Ensure that Acer’s information assets are protected from any external interference, destruction, attacks, or any impact from other destructive or negative behaviors.
- Ensure Acer is compliant with relevant laws.
- Ensure the continuity of information services.
The policy framework follows and is based on the following regulations:
Trade secrets laws, e.g., the US Defend Trade Secrets Act (DTSA), Taiwan Trade Secrets Acts, and similar laws in other jurisdictions.
Privacy protection laws, e.g., the EU General Data Protection Regulation (GDPR), Taiwan Personal Information Protection Act, and similar laws in other jurisdictions.
This policy is reexamined at least once a year to check for legal compliance with the latest technology and business developments.
Information Security Risk Management Framework
Acer Corporation established the Risk Management Executive Committee in 2022, with the Chief Information Security Officer (CISO) serving as one of its members. The CISO is responsible for developing and implementing information security and protection policies, as well as managing risks, for the company, including the security of its IT systems and product information.
To further enhance the group's information security risk management, Acer Corporation established the 'Group Information Security Governance Committee' in 2023. The committee is coordinated by the Acer Information and Network Security Center and reports directly to the Chairman of the Board. Its members include the head of Acer's IT product line and the general managers of subsidiary companies within the group. The committee also forms working groups responsible for developing group information security and protection policies, as well as conducting risk assessments. Quarterly reports are submitted to the Chairman and
General Manager, and an annual report is presented to the Board of Directors on the effectiveness of group information security governance, as well as security-related issues and directions.
Please refer to : Acer Risk Management Organizational Structure Chart for information regarding the Acer Group's information security organizational chart。
Information Security Governance
As a global brand, Acer considers maintaining information security immensely important, especially with regard to earning and keeping the trust of those investing in the brand, customers, and other interested stakeholders. We continue to work to improve global information security organization and policy, and to coordinate work on the various aspects of information security management systems, to ensure that the Group’s information assets comply with relevant laws, regulations, and standards. We also strive to set out the security control measures necessary to protect the Group’s information systems and services.
We have established a global information security management organization, and in accordance with the organizational structure, powers, and responsibilities, jointly worked to maintain the system’s sound operation, achieving our goal of stronger information security management. The head of ISMS is the Head of the Global IT and assigns a co-convenor. The head of each division is a member of the information security management organization and assigns representatives to establish the Information Security Management Team, the Information Security Establishment Team and the Information Security Incident Response Team. The information security internal audit team is staffed by the auditing office, and the support team draws from Human Resources, General Affairs, Marketing, Legal Affairs and Finance Departments.
Starting from October 2021, Acer has launched the Global Re-architect project, which is expected to take 2 years to re-examine information security and infrastructure across the globe. Acer Taiwan Headquarters completed the ISO27001 review and revalidation in 2022 to ensure that Acer's ISO27001:2013 remains effective and continues to protect the confidentiality, integrity, and availability of information assets by planning, establishing, implementing, and monitoring mechanisms. Acer underwent third-party verification by BSI in March and September 2023 to ensure the ongoing effectiveness of Acer's ISO27001:2013 certification. Acer HQ assisted in implementing an information security management system for EMEA IT and supported the successful ISO27001 certification of key core systems in July 2023.
Information Security Management Focuses and Achievements
- Continuously maintain the ISO 27001 Information Security Management System by implementing the PDCA
continuous improvement management philosophy. Conduct the ISO27001:2022 Workshop to ensure that colleagues are aware of the new standards and upgrade control measures accordingly, thereby reducing information security risks. - Revise the Information Security Policy and Management Guidelines, and consistently publish comprehensive
global Cyber Security policies to ensure that organizational security practices are in line with the new
ISO27001:2022 standard. - Expand ISO 27001 management standards and certification to other overseas subsidiaries in order to enhance global cybersecurity defense capabilities, strengthen the foundation of overall security management to
improve company image, and achieve sustainable business goals. - Continuously conduct information security scenario drills to improve employees' capacity to respond to
security incidents and the company's resilience to attacks. - Implement an endpoint OS automation patching solution to enhance endpoint security.
Implement information security management and cultivate a strong security culture
Acer is committed to implementing information security management and cultivating a deep understanding of the purpose behind security activities. To enhance the awareness of information personnel and ensure that frontline employees executing security activities are well-informed, Acer organizes the annual ISMS Workshop and security activity briefings. This ensures that they have the knowledge to act accordingly and continuously provide recommendations to the management departments for optimizing future security implementation plans. This creates a positive cycle of security and fosters a culture of information security within the organization.
Information Security Training
Acer Corporation has implemented personnel education and training programs to strengthen information protection mechanisms and information security management. In the second quarter of 2023, all IT personnel in the global IT department successfully completed security education and training. Furthermore, comprehensive security education and training sessions were conducted for all employees across all departments worldwide, addressing important topics such as passwords, phishing, remote work, ransomware, and business email attacks.
ISMS Workshop
Besides the existing ISA training, to implement the key information security work of Acer’s IT personnel, IT ISO & ITSM Office (ISO Office) of Acer Global IT regularly organizes ISMS workshops of information system account inventory, business impact analysis, objective effectiveness measurement, risk assessment and other key ISMS work items. ISO Office publishes ISMS Workshop presentation slides, FAQs, and teaching video materials to ensure information security work can keep pace with the times.
Global Employees
e-Learning
Results and Statistics
Feedback and Action Plan
Information Security Drill
To ensure staff can respond promptly to and handle issues resulting from the impact of major system failures, negative human factors, or natural disasters, Acer holds annual vulnerability scans, penetration tests, and business continuity drills to examine the risk coefficient of all processes and establish recovery plans that strengthen the Company’s emergency response capability and tolerance against cyber attacks. The details of this are as below:
Acer regularly conducts annual disaster response drills for fire, power outage, earthquake, etc. In addition, Acer also conducts quarterly drills for the core systems (including the ERP system, order management system, and accounting system) and more than 100 sub-systems to implement different levels of recovery control measures according to the plan, so as to minimize the impact of a disaster.
 | Vulnerability scansAcer annually examines OS and network equipment security issues to discover vulnerabilities in system operations in time via vulnerability scans, implementing follow-up fixes to prevent vulnerability to attacks. |
 | Penetration testsAcer commissions a third-party cyber security institution to implement drills. The penetration test team tries to break through network or system defenses with minimal information, such as searching the issues of web page programs or operating systems, to obtain further permissions or access unauthorized data. From the results of these tests, Acer is able to understand security blind spots in the system building or programming process and thus take action to correct or prevent them, enhancing the security level of the enterprise network and reducing security risk. |
 | Business continuity drillsAcer has set out the Information Security Continuity Management Guidelines to provide guidance to all units in Acer IT in implementing business continuity strategies during adverse situations. Acer follows ISO 27001 and ISMS to routinely execute drills to examine the effectiveness of business continuity drills. Meanwhile, the Company also evaluates the index of RTO, RPO, and service-level functions of all due systems to implement resource integration and business continuity, ensuring the effectiveness of systems and protecting the best interests of our customers and stakeholders. |
2024 Information Security Management Focus
- By 2024, aim to achieve a 100% completion rate for cybersecurity training among colleagues in the IT
department worldwide - In compliance with the release of the new version of ISO27001:2022, update the necessary documents of the
Information Security Management System (ISMS) to ensure compliance with the requirements - A review of ISO27001 verification is to be conducted every six months in 2024
• 24 bi-weekly ISMS meetings are held in 2024 to ensure that the organization's information security adheres to the PDCA cycle - In 2024, the Group established the Information Security Governance Committee in order to address and
mitigate the information security risks faced by the Group - Expand the scope of the company's information security risk control from IT systems to IT product
- To meet information security governance requirements and enhance the effectiveness of information security risk audits through an independent cybersecurity organization
- Continued execution of the Global Re-architect and ISMS (ISO27001) project
- Strengthen information security control policies, processes and frameworks, and establish standards to identify information security maturity
- Strengthen network firewall and network control to prevent malware from spreading horizontally across the
network through network architecture micro-segmentation - Introduce a multi-level control mechanism for privileged accounts to prevent leakage of privileges
- Introduce endpoint management mechanism to manage, protect and deploy enterprise resources and
applications - Perform regular information security drills and continuously optimize the mechanism
- Build cloud information security automation control framework
- Enhance backup effectiveness and provide a recovery solution that can be rebuilt quickly
2024 Information Security Events
- 2023/03/16 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
- 2023/09/14 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.
2024/03/08 The audit objectives have been achieved and the certificate scope remains appropriate. Acer’s ISO 27001: 2013 remains valid.