Information Security Management
‘Information security is everyone’s responsibility.’ In order to protect the security of information assets, including personnel, equipment, systems, information, data, and networks, and to prevent external threats or internal manipulation, which can lead to the risk of information leaks, damages, or losses, Realtek formulated an ‘Information Security Risk Management Framework’. Through continuous enhancement of risk management while strengthening governance strategies and personnel training, as well as evaluations and supplementary measures, we build a robust, safe, and reliable digital environment of the company. It serves as a cornerstone of Realtek’s sustainable operations.
In 2022, there were no complaints against Realtek for violations of employee, customer, or supplier privacy.
Information Security Policy and Organization
To implement and improve information security, Realtek established the Information Security Steering Committee to provide cross-departmental information security reports, review information security policies, and promote information security management mechanisms. The Committee is chaired by the Realtek Chief Information Security Officer (CISO) with the first-level supervisors from each internal unit being the ex officio members. The committee convenes annually and reports to the Board of Directors on a regular basis. To further improve the implementation of information security policies, the Company established a Corporate Security Center (CSC) and set up an Information Security Officer to assist the Company in planning and reviewing the effectiveness of information security objectives, coordinate cross-departmental information security task, information security certification project management, response to major information security incidents, audits of supply chain information security and internal audit of information security. The CSC consists of specialized units such as Product Development Information Security Office, Engineering Network Information Security Office, IT/OT Information Security Office, and an Information Security Education and Training Task Force. It references international security standards to coordinate the formulation and implementation of information security policies and various protective measures to ensure that information security management achieves the objectives of confidentiality, integrity, and availability.
Information Security Risk Management and Continuous Improvement Structure
Since Realtek is an IC design semiconductor company, its business involves IC R&D, manufacturing and sales as well as provision of software and hardware applications and IP development of IC products. Through various information technology such as communication, equipment and information systems, Realtek works closely with the upstream and downstream of the industry chain and customers for product R&D and delivery. It maintains organizational information security by establishing and implementing an information security management mechanism.
However, with the expansion and complexity of the scope of operations, as well as the ever-changing information security threats and continuously evolving hacker technologies, information security protection measures still cannot guarantee that serious cyber attacks can completely prevent the impact on organizational operations. Realtek actively manages and controls information security risks, constructs a defense-in-depth mechanism by assessing the importance and impact of risks, and corresponding improvement benefits, and adopts the PDCA (Plan-Do-Check-Action) method to continuously strengthen the organizational information security risk management mechanism .
Specific Management Solutions and Investments
- When a product vulnerability notification is received, the Company seeks to complete the fix and notify affected customers which in line with standards issued by the international information security organization (MITRE).
- Through the “Emergency Vulnerability Reporting and Handling Procedures”, emergency handling procedures for disclosed vulnerabilities are carried out, and the time limit for vulnerability handling is continuously improved.
- The returns of product-related vulnerabilities received in 2022 have been properly handled and closed.
Customer Privacy Protection Mechanisms
Information security, personal data, and customer and supplier privacy are important to Realtek. Realtek takes full responsibility for the safe collection and handling of customer and supplier data as well as employees’ personal information. During the design and development of IC products, we pay close attention to every step of the process and carefully analyze data flow to prevent the unauthorized acquisition, use, destruction, modification, or disclosure of customer information. Realtek’s customer privacy protection mechanisms include the following:
Information Security Education and Training
Realtek regularly conducts information security education and training. Through courses during information security month and information security drills, Realtek strengthens employee responsiveness and processing capabilities of information security issues. As such, we can enhance the awareness of all employees on information security, establish a concept of internal information security, and prevent malicious online attacks while lowering the incident occurrence rate and mitigating associated risks and losses.