INFORMATION SECURITY POLICY

2.1 Establish an information security management organization, with the Chief Information Security Officer (CISO) as the convener, to oversee the operation of the information security management system, identify internal and external issues, and understand the requirements and expectations of stakeholders regarding the company’s information security.

2.2 Identify external issues and the information security requirements and expectations of stakeholders toward the company.

2.3 Management commits to maintaining information security, continuously improving its quality, and reducing the occurrence of information security incidents to safeguard customer interests.

2.4 Regularly review and update the information security management system documents as necessary, with clear management mechanisms in place to protect relevant records.

2.5 Conduct regular inventory and classification of information assets, perform impact analysis and risk assessments, identify potential risks that may affect the operation of the information security management system, and take appropriate measures to address and mitigate such risks.

2.6 Provide regular information security awareness training to employees, establish rules for the use of social networks, and enhance awareness to prevent incidents caused by negligence. All employees have the responsibility and obligation to protect the information assets they own, manage, or use.

2.7 Department supervisors shall consider functional segregation when assigning work, ensuring appropriate separation of duties and responsibilities to prevent unauthorized modifications or misuse of information, products, or services that may affect customer interests.

2.8 For vendors, their employees, temporary staff, and visitors who need access to the company’s information assets, necessary reviews must be conducted, and they must sign relevant information security compliance agreements.

2.9 Considering business needs and potential events that may impact customer interests, establish a business continuity plan for information operations and conduct regular drills to ensure the fastest possible recovery to normal operations in the event of an incident.

2.10 To ensure the achievement of the company’s information security objectives, set information security indicators and conduct regular measurements to maintain the effectiveness of the information security management system and control procedures.

2.11 Ensure the security of controlled and office areas by restricting unauthorized use of USB drives, external cloud storage services, and application software to prevent the theft or destruction of information assets.

2.12 Continue implementing and strengthening network communication security management to reduce the risks posed by hackers, external attacks, malware, and other events that could impact the company’s formal operations.

2.13 All system development, modification, and maintenance must comply with the control principles of ISO 27001 and be carried out only after proper evaluation, discussion, analysis, and authorization, followed by testing and verification before delivery.

2.14 In the event of an information security incident, security vulnerability, or suspected violation of security policies and regulations, follow established procedures for reporting, impact analysis, and confirmation, and implement remedial measures to minimize losses.

2.15 Comply with all relevant internal and external laws and regulations, establish necessary control procedures, conduct regular information security audits, and continue to meet ISO 27001 international certification standards.