Information Security Policy

1. Organization:


To strengthen the company’s information security management and ensure the safety of data, systems, and networks, a dedicated information security unit—Information Security Office—has been established. The organization consists of a dedicated information security officer and one staff member responsible for planning and executing information security affairs. The information security officer reports significant issues or plans to the board of directors at least once a year.

2.Information Security Policy:

    (1) Confidentiality of Information Assets: Maintain the confidentiality of information assets, ensuring access is authorized and protecting the privacy of business information.
    (2) Integrity of Internal Business Data: Ensure the integrity of internal business data, preventing unauthorized access and modification.
    (3) Business Continuity: Ensure the continuity of business operations by maintaining the availability of information services.
    (4)Compliance with Regulations: Ensure all business information complies with relevant legal requirements and regulations.

3. Specific Management Measures:


    (1)Information Security Management: Protect the company from threats or damage by securing data, networks, systems, and equipment, reducing environmental risks, and providing a secure and reliable operating environment.
    (2)Information Security Organization: Oversee the implementation of information security management, develop the company’s information security direction, strategies, and steps, and enhance the safety of company operations.
    (3)Information Assets: Establish procedures for managing the disposal of information assets, including corresponding processes for deleting or destroying stored data, to prevent leakage of business or personal information and protect the company’s information assets.
    (4)Access Control: Develop access control regulations to ensure that access to company information operations is properly authorized and controlled, preventing unauthorized access and ensuring confidentiality, thus reducing the risk of unauthorized system access.
    (5)Computer Information Control: Maintain the effective operation of computer information systems, including mainframes, application software, and information systems, and establish control procedures for employees.
    (6)Software Validation and Control: Regularly revalidate software systems or revalidate them within a specified period following modifications or updates to the original systems.
    (7)Physical and Environmental Security: Implement environmental management in the office areas and information centers, and establish corresponding control procedures to protect information assets and the surrounding environment, reducing risks caused by environmental safety issues.
    (8)Information Security Incidents: In the event of an information security incident or accident involving the company’s information systems, assess the situation promptly and take necessary countermeasures and follow-up preventive actions, while establishing a comprehensive reporting and handling procedure.
    (9)Business Continuity Management: Assess the operational risks caused by potential system interruptions and develop backup or recovery plans for information systems, conducting regular drills.
    (10)Legal Compliance: The company and its employees shall comply with all information security-related laws, regulations, and contractual obligations, as well as the company's information security standards.