Cybersecurity Management Strategy and Framework

Cybersecurity Risk Management Framework

The Company established the “Information Security Management Committee” in 2023. The Committee is divided into a documentation team, a risk team, and an audit team according to their functions, responsible for planning the overall information security management framework and development of the Company, setting information security policies, goals, and systems, and managing information asset risks and information security system execution and auditing according to the ISO 27001 framework.

Additionally, on December 25, 2023, the Company established the “Information Security Management Department,” dedicated to promoting the Company’s information security policies, implementing information security mechanisms, and enhancing employee information security awareness. This department also leads the operation of the “Information Security Management Committee” and reports the progress and results to the top management and the Chairman.

The Audit Office, serving as the regulatory auditing unit for the Company’s systems, also functions as the auditing team for the “Information Security Management Committee.” Each year, it includes cybersecurity management inspections in the annual audit plan and reports the audit results to the Board of Directors regularly (at least once a year), with regular tracking of improvement effectiveness.

The “Information Security Management Committee” holds an annual management review meeting to assess the status of past resolutions, review the analysis of information security risks and audit results, ensure the ongoing operation and implementation of information security management, and evaluate opportunities for improvement.

Additionally, to enhance information security and reduce operational risks, the Company annually commissions a professional audit team from an accounting firm’s IT audit department and external verification organizations to conduct regular audits of information security management, and reports the audit results along with recommendations for improvement.

Information Security Management Framework

Cybersecurity Policy

In accordance with Article 9 of the “Regulations Governing Establishment of Internal Control Systems by Public Companies” regarding “Computerized Information Systems Processing” and the management framework of ISO 27001 Information Security Management System, establish a security policy that complies with these standards.

The Company’s information security objectives are to ensure the confidentiality, integrity, availability, and compliance of the core system management business. Quantitative indicators are defined and measured for each level and function to assess the implementation status of the information security management system and whether the information security objectives are achieved.

• Formulate information security management regulations and regularly review relevant regulations, as well as conduct information security education and training to enhance employees’ awareness of information security and their understanding of related responsibilities.
• Protect information related to the Company’s business activities, strengthen data security, and prevent unauthorized access and inappropriate use such as tampering.
• Ensure that the Company’s important information management system is stable and available for service.
• Implement automated information security monitoring and enhance defensive alert capabilities to reduce unauthorized intrusions, malicious damage, or disclosure of information.
• Ensure standardized operational procedures for daily operations are effectively implemented, and conduct regular internal and external audits to ensure the effectiveness of internal control systems and related procedures.
• Comply with the relevant laws of Taiwan (such as the Personal Data Protection Act, Trade Secrets Act, and intellectual property-related laws) to prevent infringement of the rights of the Company or third parties.

Specific Management Plans

• In compliance with ISO 27001, the international standard for information security management, we have formulated the guidelines for the framework, implementation, maintenance, and continuous improvement of the Company’s information security management system.
• Identify all information assets, make an inventory of important information assets and assign dedicated personnel to manage them, and regularly perform risk evaluation and risk management every year.
• Enhance network and application system security by implementing endpoint protection mechanisms, conducting application system vulnerability scans and source code scans, improving backup equipment and management, and adopting two-factor authentication.
• Develop a business continuity plan and conduct testing drills for critical business processes or activities. Plan recovery steps for potential disruptions to ensure the Company can resume normal operations in the shortest possible time following an information security incident.
• Establish an information security incident management procedure and define classification standards for information security events/incidents to enable rapid and effective responses, minimizing or eliminating the potential impact and damage caused by information security incidents.
• Conduct regular social engineering phishing email drills to raise information security awareness among all employees and provide information security training for employees who fall victim to phishing attempts to strengthen awareness.
• Become a member of the TWCERT/CC “Taiwan Chief Information Security Alliance” to exchange information security intelligence and share important information security issues with each other through the alliance to achieve the purpose of joint information security defense and enhance the Company’s information security protection capabilities.

 Invest Resources in Cybersecurity Management

• Established a dedicated “Information Security Management” department responsible for implementing company information security policies, introducing information security technologies, and coordinating related audit matters to ensure the continuous effectiveness of the Company’s information security management.
• Completed the firewall upgrade and optimization project.
• Implement MDR products to enhance information security defenses by continuously monitoring for anomalies and promptly addressing them with the assistance of information security experts.
• Build a Log Server to consolidate and save large amounts of collected data.
• Conduct social engineering phishing email drills twice every six months.
• Establish an information security management system, publish information security policies and procedures for adherence by all staff, and post relevant information in the [Information Security Learning Zone], including information security awareness training presentations and basic courses on the Personal Data Protection Act.
• Strengthen information security systems with the assistance of professional consulting firms, holding at least one information asset risk assessment meeting and management review meeting each year to ensure understanding of risks and implement improvements.
• Passed the ISO 27001 certification in Q4 of 2023, and there were no major deficiencies in the relevant information security audits.