Information Security Risk Management

Information Security Risk Management

【Information Security Risk Management Framework】

  The company's information security-related policies, plans, measures, and technical specifications, as well as research,

implementation, and evaluation of security technologies, are handled by the IT Department. The security requirements,

usage management, and protection of data and information systems are managed by the business units. The auditing

of information security usage management is the responsibility of the Audit Office.

Users must follow the requirements of the responsible unit regarding the use of information assets and bear the

responsibility for correct operation and usage.

The IT Department reports on information operations and execution results in the monthly management meeting.

The Audit Office conducts an internal audit annually. If deficiencies are found, corrective measures will be required and

the improvements will be tracked.

An annual audit of information operations is conducted by an external auditor. If deficiencies are found, corrective

measures will be required and tracked.

【Information Security Policy】

(1) Purpose

    To maintain the company's overall information security environment, strengthen the security management of various

    information assets, and establish a convenient and secure electronic work environment.

    This ensures the security of data, systems, equipment, and networks, as well as the proper placement of information

    equipment and the feasibility and effectiveness of information security practices.

(2) Scope

    The company's information security management scope includes all information assets

    (including software and hardware),as well as formal employees, temporary employees, hired personnel, external

    vendors, and other authorized users of the company's information assets.

(3) Definition and Objectives

    Considering the importance and value of various information assets, as well as the risks posed by

    human error, intentional attacks, or natural disasters, measures are implemented to prevent unauthorized use,

    data leakage, malicious tampering, and damage, which could impact business operations.

    Security measures proportional to the value of information assets and cost-effective management, operations,

    and technology will be adopted.

    To prevent unauthorized access or intentional destruction of information systems by internal or external personnel,

    the company must respond quickly to security incidents to minimize financial losses and operational disruptions.

【Specific Information Security Management Measures】

(1) Host System Security:

    1. To ensure the security of the host operating platform and database and to standardize operating procedures,

        periodic inspections of the host should be conducted, or outsourced maintenance should be arranged.

        Critical hosts must have backup or redundancy mechanisms.

    2. Regularly check computers for unauthorized programs and avoid opening unknown or unnecessary files such as

        .zip, .exe, .scr, .vbs, etc., to prevent Trojan horse infections.

    3. Regularly update system security patches, antivirus software, and virus definitions. Do not disable system

        auto-update to maintain normal operations.

    4. When not in use, personal computers must be protected by passwords, locked, or logged out.

    5. The use of peer-to-peer (P2P) applications, tunneling tools, or software that may harm network performance,

       devices,or bandwidth, as well as personal FTP hosting, is prohibited.

(2) Network Security and Virus Prevention:

    1. To ensure secure network services and usage, training for new employees must be conducted, and network

        security awareness campaigns must be held periodically.

    2. All company computers must have officially licensed antivirus software installed for regular scanning and

        protection against malicious software.

(3) Security Management of Daily Operations:

    1. Data Backup:

    (1) Regular backups of critical data must be conducted to prevent accidental loss or media failure.

    (2) Backup data must be stored both on-site and at an off-site location as a contingency for disasters.

    (3) Periodic testing of backup data should be performed to ensure usability.

(4) Password Policy:

    (1) Computer accounts must have passwords and be periodically reviewed. It is recommended that passwords be

        changed every three months.

    (2) Passwords should be at least eight characters long and include letters and numbers.

(5) Environmental Security Control:

    (1) To ensure the security of related facilities, unauthorized personnel are not allowed to enter server rooms or use

        related IT equipment.

(6) Network Security Planning and Management:

    1. Firewall Security Management:

    (1) Firewalls must be installed at network entry points to control data transmission and resource access.

    (2) Firewalls should be managed by network administrators and must not allow remote logins to prevent

        credential theft.

【Resources Invested in Cybersecurity Management】

Information security is a critical issue for the company's operations, and the corresponding security management

measures and resources are as follows:

(1) Dedicated Personnel: A "Cybersecurity Team" of 10 professionals is responsible for information security planning,

technical implementation, and auditing.

(2) Certification: ISO 27001 information security certification has been obtained with no major security

audit deficiencies.

(3) Customer Satisfaction: No major security incidents or complaints related to customer data loss.

(4) Training: All new employees complete information security training before onboarding. Employees undergo at least

two online security