Information Security Risk Management Framework (Approved by the Board on August 5, 2022)
Information Security Policy
l Adhere to information security regulations, comply with relevant laws:
Establish various information security management procedures, and regularly assess and adjust according to actual circumstances.
l Enhance personnel's awareness of information security:
Employees should participate in relevant information security education and training to raise the overall awareness of information security throughout the company.
l Prevent the leakage of confidential information:
Safeguard company confidential information, prevent unauthorized access and tampering of information, and avoid any leakage of sensitive data.
l Implement internal information security audits:
Regularly conduct internal audits of various information security measures to ensure the effective implementation of operations.
The specific management plan for information security typically includes the following elements:
|
Item |
Solutions |
|
Information Security Protection |
Document Management |
l Establish a document management platform and implement document classification
l Establish processes for confidential document retrieval and document destruction, including tracking and management。
l Implement encryption controls and effective tracking for documents and data
l Control and monitor outgoing emails |
|
Risk Management |
l Conduct risk assessments for the information data center, regularly perform vulnerability scans, and carry out periodic disaster recovery drills for core information and communication systems |
|
Information Operations Security |
l Enforce password setting rules and establish remote and on-site backup/redundancy services
l Employees are required to apply for a VPN account to access the company's internal information systems from external locations
l Information system accounts must be applied for according to company regulations. When employees resign, they are required to coordinate with the information unit for account deletion |
|
Device Network Security |
l Implement security mechanisms on devices, monitor network and information access security.
l Establish endpoint antivirus measures based on computer types, enhance detection of malicious software behavior.
l Strengthen firewall and network control to prevent the spread of computer viruses across machines and plant areas. |
|
Plant area Security |
l Implement control measures for computers used by incoming guests/visitors |
|
l Establish access control for office areas and computer rooms, monitoring for any abnormal incidents |
|
Review and Continuous Improvement |
Education, Training and Promotion |
l Enhance employee awareness of email attacks, regularly conduct phishing email defense detection
l Regularly implement information security education and training to enhance employee awareness of information security |
Allocation of resources to information and communication security
The dedicated human resources information security unit consists of three employees responsible for company information security planning, technical implementation, and related matters to maintain and continuously enhance information security.
l Network Hardware Equipment:
Firewall, backup server, data center temperature (humidity) detection system, uninterruptible power supply (UPS) system, automatic fire suppression system for the data center, surveillance cameras in the data center, offsite backup facility.
l Software Systems:
File encryption management software, backup management software, antivirus software, Endpoint Detection and Response (EDR) software, spam email filtering.
l Education and Drills:
Regular cybersecurity awareness campaigns, disaster recovery drills, permissions review.
l Training
Conduct two online information security education and training sessions and assessments; a total of one social engineering phishing email test was conducted in 2023.
l Customer Satisfaction
No significant security incidents occurred, and there were no complaints regarding the loss of customer data.