Information Security Policy | Bioteque Corporation (Headquarter)

1.Organization：

To strengthen the company's information security management and ensure the security of data, systems, and networks, a dedicated unit for information security, the Information Security Department, has been established. The organization includes a dedicated information security supervisor and one information security staff member, who are responsible for the planning and implementation of information security affairs.

The information security supervisor is required to report significant issues or plans at least once a year during the board meeting.

The Information Security Department needs to convene relevant personnel every six months to hold an information security meeting, and meeting records must be kept for tracking and improvement purposes.

During the meeting, discussions on information security policies should be made, with timely improvements and supplementary adjustments based on the current information security environment.

2.Information Security Policy：

(1)Maintain the confidentiality of information assets, ensuring access is authorized appropriately and protecting the privacy of information and business.

(2)Protect the integrity of internal business data, preventing unauthorized access and modification.

(3)Ensure business continuity by maintaining the availability of information services.

(4)Ensure that all information-related business activities comply with relevant laws and regulations.

3. Specific Management Measures：

(1)Information Security Management: Protect the company from threats or damage by securing data, networks, systems, and equipment, reducing environmental risks, and providing a secure and reliable operating environment.

(2)Information Security Organization: Oversee the implementation of information security management, develop the company’s information security direction, strategies, and steps, and enhance the safety of company operations.

(3)Information Assets: Establish procedures for managing the disposal of information assets, including corresponding processes for deleting or destroying stored data, to prevent leakage of business or personal information and protect the company’s information assets.

(4)Access Control: Develop access control regulations to ensure that access to company information operations is properly authorized and controlled, preventing unauthorized access and ensuring confidentiality, thus reducing the risk of unauthorized system access.

(5)Computer Information Control: Maintain the effective operation of computer information systems, including mainframes, application software, and information systems, and establish control procedures for employees.

(6)Software Validation and Control: Regularly revalidate software systems or revalidate them within a specified period following modifications or updates to the original systems.

(7)Physical and Environmental Security: Implement environmental management in the office areas and information centers, and establish corresponding control procedures to protect information assets and the surrounding environment, reducing risks caused by environmental safety issues.

(8)Information Security Incidents: In the event of an information security incident or accident involving the company’s information systems, assess the situation promptly and take necessary countermeasures and follow-up preventive actions, while establishing a comprehensive reporting and handling procedure.

(9)Business Continuity Management: Assess the operational risks caused by potential system interruptions and develop backup or recovery plans for information systems, conducting regular drills.

(10)Legal Compliance: The company and its employees shall comply with all information security-related laws, regulations, and contractual obligations, as well as the company's information security standards.

4. Investment in Information Security Resources ：

For important information security tasks such as operating system or critical software upgrades for system servers, and disaster recovery drills, the Information Security Department regularly reviews the planning and progress of execution. Information security concepts are promoted during company weekly meetings or via email. Additionally, through irregular engineering drills and information security health check services, the department assesses whether users' information security awareness is sufficient, and whether there are vulnerabilities in the information equipment resource allocation and system configuration. After preparing the information security budget, execution follows.

5. Emergency Reporting Procedure：

When an information security incident occurs, the responsible unit reports it to the Information Security Department, which will assess the type of incident and identify the issues. Immediate actions will be taken, and records will be kept.

6. Participation in External Information Security Collaborative Defense Organizations：

The company has currently joined the Science Park Information Security Information Sharing and Analysis Center (SP-ISAC).

7. Execution Status for the Current Year (Year 113)：

(1)A total of 11 information security awareness sessions held.

(2)2 information security announcements made.

(3)2 dedicated information security meetings held.

(4)Disaster data restoration drill conducted (outsourced to Dingxin Computer).

(5)The Information Security Department is staffed with 2 dedicated personnel, with 4 additional supporting staff from the IT Department.