Information Security Management(Global)

(I)

Describe the information security risk management framework, the information security policy, actual management plans, the management resources for investor information security, and other information:

 

1. Information security risk management structure: Information security has become an important issue to companies due to the effect of technology development. In order to ensure smooth operations in the Company, the Information Technology Division is responsible for information security, formulating related control procedures and management, and periodically conducting information security inspections.

Information security management system: In order to demonstrate the importance attached to information security and to align with international information security standards, the ISO 27001 information security management systems are being introduced in 2023 to strengthen the ability to respond to information security incidents and protect the Company’s and customers’ assets.

 

2. Information security policy: 

(1) Purpose: The Company established an information security management system to create a safe and trusted operating environment for information systems, maintain normal operations, lower operational and process risks, and protect the rights and interests of customers, suppliers and users.

(2) Scope: The scope of the Company’s information security management includes IT personnel at each location, management system, applications, data, documents, storage media, hardware equipment, and network facilities.

(3) Objective: To prevent information systems from improper use or intentional sabotage by internal and external personnel, or for the Company to be able to rapidly respond and recover within the shortest amount of time when information systems have already been improperly used or intentionally sabotaged, and thereby reduce the potential losses and operational risks from the incident.

(4) Procedure: Manage IT facilities, network security, system development and program modification, data security, information confidentiality, and outsourcing.

 

3. Describe the actual management plans, and the management resources for investor information security:

(1) Strengthen network and website security (firewall and intrusion detection system, VPN connection, and website vulnerability scanning).

(2) Strengthen endpoint security (endpoint management system, anti-virus software, website management, real-time communications management, and Windows update).

(3) Data leakage protection (document classification and access rights and portable storage device management).

(4) E-mail security (blocking spam, virus, or phishing, and e-mail backup mechanisms).

(5) Enhance the IT infrastructure (server and network cluster structure establishment and remote backup).

(6) Recovery drills (drills for recovering files, database, and system from remote backup).

(7) Raise information security awareness (regular communication, credit-based training courses, and social engineering rehearsal).

In addition to the enhancement projects above, the Company implements its information policies, including irregularly participating in information security seminars to understand the latest information security issues, trends, and reinforcement measures, so as to continue enhancing and improving its information security management.

 

(II)

List the losses sustained due to major information security incidents, possible impact, and the responses measures in the most recent year and up to the date of report. If it cannot be reasonably estimated, describe the facts that it cannot be reasonably estimated:

There were no major information security incidents in 2022 and up to the publication of the annual report.