Information and Communication Security Management

1. Information and Communication Security Risk Management Framework

  1. The information security responsibility of our company is under the jurisdiction of Administrative Department, which is headed by one Information Security Manager and one Information Security Personnel that are designated for formulating company’s security policy, planning information security procedures, and execute the information security related operations; additionally, provide a periodic overall report on information security status to the board of directors. The latest report date is December 21, 2023.
  2. The company’s Audit Department serves as supervisory for information security oversight. The department is led by an Audit Manager and dedicated auditing personnel who are responsible for overseeing the internal execution of information security. On the occasion that deficiencies are identified, the department requires the audited unit to submit improvement planning to the board of directors and conduct follow-up on the effectiveness of the implemented improvements to alleviate internal information security risk. External auditors conduct information operation audits annually, and any identified deficiencies request corrections followed by subsequent tracking for improvement outcomes.

2. Information and Communication Security Policy

  • To ensure the effectiveness of various information management procedures within the company and uphold the security of our important information system, the company is committed to maintaining the secure operation of information systems, devices, and networks. This is essential for achieving our goal of sustainability in business operations.

3. Detailed Management Plan

  1. Computer Device Security Management
    1. The computer mainframe and all application servers should be housed in assigned data rooms. The rooms are controlled through card swipe access. All entrance and exit records are retained for inspection.
    2. The server room has independent air conditioning to ensure the optimal operating temperature for the computer device. Additionally, chemical fire extinguishers are placed to address fires caused by general or electrical issues.
  2. Internet Security Management
    1. Strengthening network management involves setting up enterprise-grade firewalls at the entrances connected to external networks to block unauthorized intrusion attempts by hackers.
    2. Colleagues accessing the company internet remotely must apply for a database VPN account. Access is only permitted through the secured VPN, and usage records are retained for audit purposes.
  3. Computer Virus Protection and Management
    1. The company servers and colleagues’ computers are installed with endpoint protection software. The virus definitions are automatically updated to block the latest virus variants. This software also detects and prevents installing system executable files that may pose potential threats.
    2. PC。The email server is configured with antivirus and spam filtering mechanisms to prevent virus or spam emails from entering the user’s PC.
    3. In the event of detecting or intercepting viruses, the antivirus system immediately isolates or deletes potential threats. Additionally, the system initiates a risk report for computers that are infected or at risk, facilitating management personnel to take necessary actions.
  4. System Access Control
    1. Colleagues who request access to various application systems must follow the company’s internal permission application process. Once the responsible supervisor approves, the IT department creates a system account. Access is granted by system administrators based on the required permission.
    2. Account passwords must be specified strength and length criteria. The password is required to include a combination of letters, numbers, and special characters for approval.
    3. In the event of resignation or leaving, colleagues must coordinate with the Administrative department to initiate the deletion of their their accounts across various systems.
  5. Ensure Sustainable Operation of the System
    1. System Backup: Establish a cloud-based backup system using a daily backup mechanism. Copies of the system and database must be uploaded to an international cloud and stored in each local computer room to ensure absolute security.
    2. Disaster Recovery Drill: Each system conducts an annual drill. After a restoration, a data baseline is selected, and backup media is restored to the system’s main server. A written confirmation from user units is issued to verify the accuracy of the recovered data, ensuring the correctness and effectiveness of the backup media.
  6. Information Security Awareness and Education Training
    1. Regular Awareness Notice: Colleagues are required to change their system passwords periodically to maintain account security.
    2. Awareness Lecture: Irregularly conduct information security-related education and training courses for colleagues on an annual basis.
  7. The company's information security manager and personnel are a part of the Information Service Industry Association of R.O.C. Through active participation in the event; they engage in interactive exchanges to acquire more relevant knowledge and experiences.

4. Allocation of Information and Communication Security Management Resources To implement the information and communication security policy, the company advocates the following resources:

  1. Network hardware devices include firewalls, email antivirus, spam filters, internet behavior analysis, etc.
  2. VPN Software systems include endpoint protection systems, backup managing software, VPN verification, encryption software, etc.
  3. Telecommunication services such as multiple lines, cloud backup services, intrusion prevention services, etc.
  4. Allocating human resources such as daily system checks, weekly backup with offsite storage, annual information security awareness education lectures, annual disaster recovery drills, annual internal audits of information cycles, external accountants audits, etc.
  5. Security Personnel: Two responsible personnel, including one security manager and one security staff member, are responsible for overseeing the design of the security framework, security operations, and monitoring, security incident response and investigation, and the review of revision of security policies.
  6. The Information and Communication Security Management Review Meeting was held on December 26, 2023, to confirm the feasibility of the cybersecurity maintenance plan and ensure its effectiveness in implementation.