Information Security Management

Information Security Management

Information Security Organization and Structure

In order to fully manage information and communication security, D-Link has established the “Information Security Management Committee” in 2021. The President shall act as the convener to supervise the information security policies of the entire company. The Committee references the ISO 27001:2013 information security management system international standards and the public company internal control system establishment guidelines. The IT and Information Security Department serves as the dedicated information security unit and the department head shall act as the information security management representative to coordinate the formulation, execution, risk management, and compliance audit of information security and protection related policies. Each information security related unit (product, personal data, privacy, etc.) shall appoint an information security representative to regularly convene information security meetings. They shall discuss information security policies and other material issues related to information security, as well as supervise the execution of the company’s information security operations and the effectiveness of the information security risk management mechanisms. The execution results of the information security management operations and systems of the entire information security management organization shall be reported to the Board of Directors regularly.

D-Link Information Security Organization

D-Link’s Information Security Organization

Information Security Management Strategy

D-Link’s Board of Directors has passed the “Information Security Management Policy” on February 22, 2022. The confidentiality, integrity, availability, and legality of information assets are reviewed regularly every year.

Information Security for Systems

D-Link has passed the “ISO/IEC 27001:2013 Information Security Management System (ISMS)” international certification. The effective period of the current certification is from October 16, 2020, to October 15, 2026. Through the introduction of the ISO 27001 Information Security Management System, we have strengthened our response and handling capabilities for information security incidents to protect the security of the company’s and customers’ information assets.

Information Security for Products

D-Link has passed the “IEC 62443-4-1:2018 Secure Product Development Lifecycle Requirements” international certification in 2020. The effective period of the current certification is from November 30, 2020, to November 29, 2025. The requirements have been introduced in product lifecycles from product design to development and testing, ensuring compliance with the security standards.

Personal Data Protection

D-Link has passed the “BS 10012:2017 Personal Information Management System (PIMS)” international certification in 2021. The effective period of the current certification is from December 1, 2021, to November 30, 2024. All procedures and applicable documents related to the standards comply with the EU General Data Protection Regulation (GDPR) requirements.

Privacy Protection

D-Link has obtained “TRUSTe Privacy Certification Label” international certification in March 2022. In order to implement privacy protections and commitments to security, D-Link has been working closely with the globally recognized data privacy management authority, TrustArc Inc., since 2014. TrustArc Inc. provides services such as privacy evaluations, certification, and monitoring tools. The external service website and related domains have passed the company’s audits and certification and have received the TRUSTe Privacy Certification Label.

Information Security Risk Management and
Continued Improvement Framework

D-Link has been cultivating network equipment and services markets for a long time. We place great importance on information security and the scope of our focus includes employees, organizations, supplier and operation related information, and software and hardware. D-Link complies with the ISO/IEC 27001:2013 Information Security Management System standards to formulate the information security policy. We have strengthened information security management to ensure that valuable information assets are protected from intentional or accidental internal and external threats, in order to maintain the confidentiality, integrity, and availability of data. Through the information asset and risk management procedures, we have established and are maintaining the company’s valuable information assets using the “Plan – Do – Check – Act” model. We ensure the continued operation of our business, reduce operational risks, enhance service quality, and ensure the consistent and effective implementation of all information security related policies, procedures, and operating guidelines during daily operations.
Information Security Risk Management and Continued Improvement Framework

Specific Information Security Management Solutions

Information Security Protection and Controls

Network Security
  • Introduce advanced technologies to conduct computer scans and software updates, strengthen software firewalls and computer controls, and prevent the spread of computer viruses
 
Device Security
  • Improve endpoint anti-virus and virus scanning mechanisms to prevent ransomware and malicious programs from entering the company
  • Improve endpoint anti-virus and virus scanning mechanisms to prevent ransomware and malicious programs from entering the company
 
Web Application Security
  • Improve endpoint anti-virus and virus scanning mechanisms to prevent ransomware and malicious programs from entering the company
  • Continue to strengthen security control mechanisms for applications and repair potential vulnerabilities
 
Access Control
  • Stipulate the user password management mechanism, network security service mechanism, and methods of internal network segmentation and external connection to manage remote work and protect network and information security
 
Password Key Management
  • In order to ensure the system operations of the company and confidentiality of accounts, necessary passwords and keys are managed, in order to minimize the risk of leaks and appropriately protect D-Link’s sensitive information Option

  • Establishing the password policy defines the password strength rules and forces changing the password every three months.

 
Continuous Operation Management
  • D-Link shall establish operation continuity plans for important systems and implement annual drills to ensure continued operations
 
Information Security Incident Management
  • In order to reduce the damage caused by information security incidents, information security incident reporting and handling procedures are established

Information Security Risk Review and Continuous Improvements

Education/Training / Promotion
  • Strengthen employee vigilance against social engineering attacks through email and implement phishing email detection
  • Regularly organize continued operation drills and improve employee information security awareness
 
 
Information Security Risk Management and Monitoring
Commission a third-party impartial inspection unit to regularly conduct information security evaluations on the company:
  • ISO/IEC 27001:2013 Information Security Management System
  • IEC 62443-4-1:2018 Secure Product Development Lifecycle Require
  • BS 10012:2017 Personal Information Management System
 
External Threat Detection and Protection
  • Commission a third-party impartial inspection unit to regularly conduct vulnerability scanning and regularly collect external threat information. The information is used to perform risk assessments to strengthen external information security threat protection Option
  • We have joined the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) to regularly collect external threat information and conduct risk assessments according to the information content. Information security personnel are responsible for confirming and tracking the handling results of the information to strengthen external information security threat protection Option
 

Resources Invested in Information Security Management

D-Link’s information security measures and execution results include:

  • Passed 4 information security related international certifications, which include ISO/IEC 27001:2013 Information Security Management System certification(Oct, 2022), IEC 62443-4-1:2018 Security For Industrial Automation and Control Systems Part 4-1 certification(valid until: 2025-11-29), BS 10012:2017 Personal Information Management System (Oct, 2022) and TRUSTe’s Enterprise Privacy & Data Governance Practices Certification program (2022).
 
  • Perform regular vulnerability scans to ensure the security of the company’s information environment (April-August 2022) .
  • Organized over 20 information security related meetings. Implemented information security education for all employees on the internal website every quarter. 1 dedicated member of the dedicated information security unit and 7 information security network management personnel must undergo more than 24 hours of professional information security training every year. The goal for 2023 is to implement 1 hour of information related education and training for all company employees every quarter. Every year, 2 hours of information security education and 2 hours of other information education and training shall be planned.

Major Information Security Incidents

D-Link passed ISO/IEC 27001:2013 Information Security certification in October 2022 and passed internal/external audits and certification related to BS 10012:2017 Personal Information Management System in October 2022. No major deficiencies were found and no violations of information security or personal data protection that led to customer or employee information leaks and fines occurred.
Furthermore, in 2022, no complaints from third-party impartial inspection units or competent authorities related to customer personal data protection violations or customer data losses leading to judicial actions were received.