Privacy protection and information security risk management
Protecting the company's R & D achievements and customer information is the duty and responsibility of all HTC employees. In order to ensure that information security and privacy protection are fully integrated into the organization's culture and the company's core values, HTC actively establishes and promotes information security and personal data protection policies, ensuring that they are in compliance with relevant information security and privacy protection regulations from various countries.
Under the influence of COVID-19, HTC strictly protects confidential and personal information and continues to create a win-win situation among HTC, partners, clients, and consumers. HTC is optimizing “personal information management system” and “information security management system” to control potential risks. The legal, product safety, and information security departments are working together as a team to promote privacy protection and information security.
Personal Information Management System
Structure of HTC Personal Information Management System (PIMS)
HTC's privacy protection system complies with Taiwan’s Personal Information Protection Act, and refers to applicable international privacy protection regulations, such as the General Data Protection Regulation the European Union, the Children's Online Privacy Protection Act of the United States, and the California Consumer Privacy Act. HTC also introduced the ISO 27701 Personal Information Management System (PIMS) developed by the British Standards Association for personal information management based on OECD, APEC and data protection laws, and implemented these policies in areas such as employee education and training, product development and design, manufacturer management, and security incident management.
In order to reduce the risk of operation management and ensure the continuous operation of businesses, HTC has moved the core basic systems to the cloud and introduced various cloud services to create a cloud working environment that advances with time. By utilizing the flexibility and high availability of the cloud, deploy and disaster recovery can be performed quickly when failure occurs, effectively improving work efficiency.
Product Information Security
Software Security Control Measures of HTC Products
HTC requires the development team to strictly comply with information security rules from the design stage of products, and provides relevant training on product and information security protection measures to the team. The training refers to the laws and regulations of different countries, as well as the most prominent case studies in the industry. Furthermore, the training materials include a lot of knowledge and experiences in information security which are contributed by HTC’s internal resources. Hence, trainees can easily absorb and utilize this knowledge.
We require all the data collection, utilization, processing and storage of our products and services to go through the product privacy and security (PPNS) design review procedure. The products and services include the virtual reality system - VIVE, enterprise virtual reality solutions, global VR application stores and subscription platform - VIVEPORT, 5G applications, smartphones, VIVE Arts, VIVE Originals, DeepQ AI Platform. As a result, we can comply with the privacy protection principles, such as legitimacy and transparency, minimization of data collection, limitations of purposes and storage, and so on. Therefore, we can ensure the completeness, confidentiality, and accuracy of information.
Structure of Product Information Security
In terms of the product security in the structural planning, we have set up security satellites in major development teams to implement privacy and information security policies more effectively. Besides promoting relevant policies, the security satellites are highly familiar with the products of their own teams and are requested to participate in the PPNS design review procedure mentioned above. Consequently, we enhance the positive meanings of the effect of the review procedure.
In the design and development of software, HTC publishes a privacy protection and safe software development manual to assist the development team for R&D and to execute code reviewing in accordance with the manual. This helps to avoid the involvement of unstable or malicious codes, as well as to ensure that the developed products comply with the expectations of consumers and clients regarding the privacy and information security of HTC’s products.
Our management of privacy and information security does not end after the launch of new services or after the purchase of products. Instead, we continue to work on information security control. We follow up the software patches for security breaches and provide these to the relevant development teams. We also provide designated contacts for external personnel to report information security problems. Additionally, we also equip professional teams to conduct the assessments and replies - demonstrating our highest concern for consumers’ privacy and security. The most important we strive to ensure is that HTC’s services can be provided to our customers correctly and continuously.
As for information security, HTC follows ISO 27001’s information security standard, and establishes and promotes all kinds of information security management measures. In this way “security” becomes part of employees’ daily life. Meanwhile, risk assessments, and privacy and security internal audits are conducted annually. Through these audits we can ensure the implementation of management systems and modify relevant policies to lower the risks in a rolling manner.
HTC Privacy and Security Internal Audit
Cyberattacks are among the common risks in the WEF Risk Report. In addition to ISO 27001 daily practice and management to maintain confidentiality, availability and integrity, the monthly security letters to employees also raise awareness of privacy and information security issues. Other reinforcements include firewalls, intrusion detection and antivirus systems. No material information security event took place in 2021 thanks to our robust security mechanisms.
In terms of reducing operational management risks and ensuring continuous operation, HTC has focused on cloudification of key core basic systems and introduced various cloud services to create a cloud working environment that keeps pace with the times. By utilizing the flexibility and high availability of the cloud, deploy and disaster recovery can be performed quickly when failure occurs, effectively improving work efficiency.