Information Security Policy and Measures
Information Security Policy and Measures
LITEON has formally established an Information Security Policy as the foundation of our security management framework. This policy reflects our commitment to safeguarding the security and privacy of all stakeholders—including employees, customers, suppliers, partners, and shareholders—as well as operation-related information assets. It ensures the confidentiality, integrity, availability, and legality of information assets, while reducing risks from internal and external, deliberate or accidental threats.
Our Approach
Information security is embedded in every aspect of our operations. We focus on strengthening systems, protecting data integrity, and responding swiftly to potential threats. By fostering accountability among employees and extending security standards to partners and suppliers, we ensure privacy and information protection remain integral to sustainable business practices.
Governance and Standards
To achieve this, LITEON has established an ISO 27001-certified Information Security Management System, adopting the PDCA cycle for continuous improvement. We obtained ISO 27001:2013 certification in 2020 and upgraded to ISO 27001:2022 in 2024. The current certificate is valid from November 16, 2024, to July 1, 2026.
Our governance framework includes a cross-functional Information Security Committee, chaired by the Board and led by the Chief Information Security Officer (CISO). The committee consists of ten colleagues from the Information Security Center and over thirty representatives from business units and functional units. It holds quarterly meetings to review threats, plans, and effectiveness, and the CISO reports annually to the Board.
LITEON also participates in industry alliances such as the Taiwan Information Security Management Association, Taiwan Information Security Alliance, and High-Tech Information Security Alliance to strengthen capabilities.
Scope and Responsibilities
The scope of information security covers employees, clients, suppliers, shareholders, and all IT systems, software, and hardware associated with business activities. All employees sign the Code of Professional Ethics and receive annual training to raise awareness and integrate security into daily operations. Suppliers and partners must comply with LITEON’s security requirements, including confidentiality agreements to protect customer privacy and personal data.
Integrated Risk and Continuity Management
Information security is embedded in our Business Continuity Management System (BCMS) to prevent threats, limit damages, and ensure rapid recovery. This approach aligns with ISO 27001 and supports factories in maintaining resilience against disruptions.
Key Measures
- Threat Monitoring & Vulnerability Analysis
Real-time monitoring via Security Operation Center (SOC), regular vulnerability scans, third-party security ratings, and continuous threat exposure management, including dark web intelligence and penetration testing. - Data Protection
Azure Information Protection (AIP), encryption, identity verification, secure remote access, and Microsoft Office 365 tools to safeguard sensitive information in office and remote work environments. - Industrial Control Security
IEC62443-based controls for production IT systems, including network segmentation, device authentication, virus protection, portable device control, and backup mechanisms to prevent disruptions. - Network Security
Zero-trust architecture, endpoint protection, strict identity verification, and SD-WAN for centralized network management and application visibility. - Internal and External Audits
Internal audits are conducted by a dedicated team of 10 security specialists and 30 representatives from business units, following the PDCA cycle. Independent external audits verify compliance and include ISO/IEC 27001:2022 and ISA/IEC 62443 certifications.
Incident Reporting and Response
Employees can report vulnerabilities or suspicious activities through internal channels to the IT department or dedicated security unit. A structured escalation process ensures timely response and corrective actions.
In July 2024, during a routine inspection, LITEON detected an anomaly. Immediate network isolation and defense mechanisms were activated, and detection protocols were strengthened. The incident had no financial or operational impact.
Training and Awareness
All employees complete mandatory annual training (minimum one hour), with role-specific courses on privacy and security. New hires sign the Code of Conduct and receive onboarding training. Additional external training for auditors and random social engineering exercises are conducted to reinforce awareness.
Physical and Access Control
Advanced access control systems and trained security personnel protect offices and factories. Breaches trigger corrective or disciplinary actions, including warnings, demerits, or termination.
Performance and Transparency
In 2024, LITEON reported zero material breaches and no complaints related to privacy or data loss. Customer data was not used for secondary purposes. These results are disclosed in the Annual Report (pages 123–131) and ESG Report (Section 3.4).
Information security management campaign and blueprint |
LITEON places a high priority on customer privacy and personal data protection. Internally, we have implemented a Personal Information Management System (PIMS) and established a personal privacy data protection policy along with related measures. This ensures that the collection, processing, and use of personal data within the company are conducted in accordance with established guidelines and operate effectively. In our daily operations, LITEON continue to promote the practice of personal data protection through risk assessments and document control. Additionally, LITEON also regularly conducts personal data protection training for employees to comprehensively enhance internal privacy protection awareness, in order to create a reliable and comprehensive personal data protection environment. In 2024, there were no complaints or lawsuits related to personal data breaches.
Privacy Policy
LITE-ON Technology Corp. respects our company websites users’ right of privacy. Please read carefully our company's privacy policy below. We hope to let all visitors fully understand what data we collect, how we collect the data, and how we protect the right of privacy.
If you continue to browse our company websites or if you provide us your private data, it will be regarded as your acceptance of the terms of our privacy policy.
Information We Collect
You do not have to provide any personal information while accessing our company's websites. However certain services or functions of our websites may collect the personal information that can be used to identify the specific individual, such as your name, address, telephone number, email address or any other contact information.
Additionally, we may also automatically collect certain information incidental to your use of our websites, such as the IP address, the type of the browser software, and the operating system of the your computer, as well as the web page accessing information collected through Cookies or Web Beacon, such as the times of access, duration of use, etc.
How Will We Use Your Personal Information
The personal information we will collect may be used in responding to your requests, sending mail and newsletters, or providing the services per your request. We may also use part of the collected information to help improving the content and service quality of our websites. We will not disclose, sell, provide or share your personal information to/with other persons or not LITEON's affiliates, except that (1) we need to provide the services at your request, (2) we already obtained your authorization, or (3) we have the following situations.
We may provide the part of the collected information to our management team and the authorized employees or affiliates relevant to the business as the reference (example: we may provide your resume information to our Human Resources Department for reference.), or we may use the authorized webpage design as the reference for the maintenance or enhancement of our companys web. The provision of the above mentioned information must follow this Privacy Policy as well as other pertinent confidentiality and security measures. We may also disclose the collected personal information for the following reasons: (1) by law requirement; (2) to comply with legal process or governmental requests; (3) to respond the subpoenas or warrants served on LITEON technology Corp.; (4) to protect and defend the rights or property of LITEON Technology Corp.
Modification or Deletion of Your Personal Information
If you wish to modify your personal information, stop receiving information from us, or remove your personal information from our company website database, please mail to webmaster@liteon.com and we will immediately handle it for you.
Changes to this Privacy Policy
LITEON Technology Corp. may revise this Privacy Policy irregularly. You can ascertain that our Privacy Policy has been updated by examining “Last Revised Version and Date”. We suggest you irregularly visit our company website to review our latest privacy policy and its terms.
Personal Data Protection Internal Control and Audit Mechanism
To ensure that the collection, processing, and use of personal data comply with the Personal Data Protection Act and relevant regulations, the Company has established a comprehensive personal data management system and internal control mechanism. Through regular internal audits and continuous improvement processes, we strengthen compliance and risk control in privacy protection.
Our personal data protection practices cover the following key points:
- All personal data is collected for specific purposes and in accordance with legal requirements. Any use beyond the original purpose must also comply with legal provisions.
- Data subjects are clearly informed of the necessary information before collection, and written consent is obtained.
- The accuracy of personal data is regularly reviewed, and corrections, supplements, deletions, or cessation of use are carried out upon the data subject’s request.
- A request mechanism is in place for data subjects to exercise their statutory rights, with clearly defined procedures and required documents.
- Personal data files and processing equipment are subject to security control mechanisms and are managed in accordance with the Information Security Management Regulations.
- Employees are obligated to maintain confidentiality and are required to undergo regular training on personal data protection to enhance compliance and information security awareness.
Internal Audit System
To ensure the effectiveness and continuous improvement of the personal data management system, the Company has incorporated personal data protection into its internal audit plan and, based on a risk-oriented approach, regularly conducts the following audit activities:
- Audit frequency and scope: At least once a year, audits are conducted on processes such as the collection, processing, use, storage, and deletion of personal data, covering all departments and information system operations.
- Audit items: Include whether there is a legal basis for collection, whether data subjects are clearly informed, whether valid consent is obtained, whether use beyond the original purpose is compliant, data accuracy maintenance, procedures for exercising data subject rights, equipment and environmental security controls, and implementation of training programs.
- Audit methods: Include document review, system sampling, on-site interviews, and field inspections, conducted by the Internal Audit Center.
- Deficiency tracking and improvement: Audit results are compiled into reports for management review. Responsible units are required to complete corrective actions within a specified period. Major deficiencies are reported to the Board of Directors.
- Continuous improvement: Audit results also serve as a basis for revising policies and planning training programs to ensure that personal data protection practices keep pace with the times.
Through institutionalized audit and improvement processes, we are committed to strengthening a culture of data protection, reducing potential risks, and enhancing stakeholder trust in our privacy governance.