Information security management

 

(一) Describe the information security risk management framework, the information security policy, the specific management plan, and resources input in information security management.

  1. Information security risk management framework: The Company's information security risk management team is composed of the Assistant Vice President of the President's Office, IT personnel, and internal auditors, and reports to the Board of Directors on a regular basis.
  2. Information security policy: To ensure sustainable operation and maintain information security, the Company has established an information security organization and provided related management measures and rules, supervise and monitor the implementation of related operations and equipment, detect exceptions in advance, avoid and control any damage.
  3. Specific management plan and resources input in information security management: Join information security information sharing platforms including ISAC and TWCERT, in addition to regular information security inspections, cooperate with internal and external auditors to include information security inspections in the annual audit plan

Internet Control

  • Install a firewall
  • Install SPAM, a mail filtering protection platform, to effectively reduce the risk of various mail attacks.
  • Install anti-virus software in computer equipment, and regularly scan computer systems and data storage media for viruses.
  • Use various network services pursuant to the information security policy.

Data Access Control

  • Designate specified persons to keep computer equipment, and set user names and passwords.
  • Grant different access authorities based on functions.
  • Revoke the authorities of any person rotated to another position.
  • Duly approve remote access to an information system.

Backup Recovery Mechanism

  • Establish system backup mechanisms for all important systems, and implement remote backup.
  • Conduct system recovery drills regularly every year.
  • Regularly review computer network security control measures.
  • Make the Information System Emergency Recovery Plan.

The Company does not yet need to obtain any international certification for any information security policy and any specific management plan. Currently, based on the appetite for information security risks identified by the Company's risk management team, insurance is not needed yet for information security risks. 

However, insisting the information security management, the Company has continuously been enhancing the information security protection, and holds disaster recovery drills regularly every year. Moreover, the team members continue to improve the latest knowledge related to the information security management all the time to enhance professional functions and master the issues related to the information security

The company has spent a total of NTD 1,578 thousand on information security in 2023, and has effectively established and prevented various information security risks.

(二) List the losses suffered as a result of major information security incidents in the most recent year and as of the date of the annual report, possible impact thereof, and countermeasures. If it is impossible to estimate reasonably, specify the facts: None.