Information Security Policy

Information security and Proprietary Information Protection are commitments from TSMC to customers, shareholders, and employees. TSMC assigned a Chief Information Security Officer (CISO) and set up a dedicated information security organization to actively promote the information security management mechanism. TSMC has professional information security manpower and resources to set related policies, management procedures and regulations to enhance information security and information protection capabilities. TSMC established the “Information Security Statement” to state our determination to maintain TSMC's competitive advantage and safeguard customers and business partners' interests.

 TSMC Information Security Statement

 

Information Security Governance

TSMC's Board of Directors authorized the Audit and Risk Committee to be responsible for supervising and managing corporate information security. Sir Peter Bonfield , the Chairman of the Audit and Risk Committee, possesses a background in related information security. TSMC established a dedicated information security organization, the “Corporate Information Security (CIS) organization and assigned J.K. Lin, the Senior Vice President of Corporate Strategy Development (CSDV), as the Chief Information Security Officer (CISO), in charge of information security policies and procedures planning, monitoring and management. TSMC establish the PIP (Proprietary Information Protection) & Risk Committee and the IT Security Committee to cooperate with the company's information technology and related organizations to strengthen corporate information security protection and management mechanisms. Every six months, the Corporate Information Security organization executives report risk management measures to the Audit and Risk Committee, including global information security trends, company information security policies, plans, and implementation results. The chairman of the Audit and Risk Committee also reports on the effectiveness of information security supervision and risk control measures to the Board of Directors.

TSMC Information Security Organization

 

PIP & Risk Committee

The PIP (Proprietary Information Protection) & Risk Committee is chaired by the Chief Information Security Officer (CISO) & Senior Vice President of Corporate Strategy Development. Committee members are the Vice Presidents of Legal, Human Resources, Research and Development, Operations and the highest-level supervisor of CIS. The Committee reviews guidelines and policies each quarter to ensure company policies meet information security goals.

IT Security Committee

TSMC established the IT Security Committee, chaired by the Chief Information Security Officer (CISO) & Senior Vice President of Corporate Strategy Development . The committee is comprised of the Vice President and Directors of Information Technology, to hold monthly meetings to review information security policies, assess information security risks, strengthen risk responses, determine security metrics, and analyze global IT trends and threats.

 

Information Security Strategies and Approaches

CIS actively strengthens information security and confidential information protection mechanisms to maintain TSMC’s competitiveness. This is achieved by following international information security frameworks and standards, defining information security policies, procedures and guidelines, updating strength management systems and technology, and implementing comprehensive risk management. CIS performs regular information security risk assessments and sets priorities based on potential impact, probability, and cost to reduce risks. A multi-layer information security defense system with appropriate performance indicators is established by leveraging the Plan-Do-Check-Act (PDCA) approach. TSMC established an automatic information security management system (Information Security Management System, ISMS) with ISO27001 information security management certification. TSMC has obtained ISO 27001 certification since 2008, and has continuously obtained certification until now (2024). TSMC has passed the audit every three years and has passed CAV (Continual Assessment Visits) every year. The certification scope covers customer’s design/manufacturing information frontend to backend protection, includes IP merge, mask data preparation, mask making, warehousing and associated supporting information and IT processing activities for 300mm wafer production (Tainan). TSMC also continuously obtaining ISO/IEC 15408 certifications to accelerate customer’s security product launch. The ISO/IEC 15408 certification covers a wide range of service from wafer mask design, mask manufacturing, wafer production to wafer storage, shipment, scrap, and downstream wafers. It also contains wafer testing, wafer bumping, physical environment security, information protection, system security, product security and other procedures that must be fully controlled and protected. TSMC achieves the highest security standard for product safety and customer proprietary information protection and is now ready to receive and fulfill orders for customer’s high-security products.

Key Focuses of Information Security Management

TSMC have implemented and continually update rigorous cybersecurity measures to prevent and minimize harm caused by information security attacks. These measures include advanced virus scanning tools to prevent a fab from installing virus-infected tools, strengthening firewall and network controls to prevent computer viruses from spreading among tools and fabs, and the installation of anti-virus and advanced malware detection solutions across our computer devices. In addition, we have introduced new technology for data protection, and improved email phishing detection, and regularly perform employee awareness testing. TSMC also established an integrated and automatic security operation platform, continuously drill the handling procedures of information security attacks, and conduct external security risk assessments. Every year, TSMC’s key focuses of information security implementation are as follows:

  1. Cyber security management
  2. Inventory management and information protection
  3. Information access control
  4. Computer operation security management
  5. Personnel and physical security
  6. Software security
  7. Information security (incident) handling and management
  8. Supply chain security
  9. People management, education and promotion
  10. Internal/external information security assessment and risk management

Information Security Incidents and Reporting Procedure

TSMC has well-defined standard procedures for handling information security incidents, including information security incident notification procedures which assign specific personnel to handle major security incidents, evaluate losses, implement additional responses, assess possible impact on company finances and operations and formulate related countermeasures.

TSMC ISO27001 Certification