Others

Others

Information Security Management disclosure :

1. Information security risk management framework

   The company has established a dedicated department for information security, the "Information Security Management Department", at the support center, with information security managers and responsible personnel. Their responsibility is to formulate information security policies and management methods, and refer to ISO 27001, CNS 27001 information security management system standards, implement management methods, continuously improve and eliminate deficiencies, to ensure that policies and management methods are effectively implemented; relevant implementation results are regularly reported to the company's senior meetings to reduce operational risks.
   The Information Security Management Department maintains the confidentiality, integrity, availability and legality of the company's information and communication, and prevents the risks of human negligence, intentional damage and natural disasters, avoiding improper use, leakage, tampering, damage, disappearance, etc. of information and communication and information assets, affecting the company's operations and causing damage to the company's interests. For this purpose, the Information Security Management Department regularly conducts information security inspections and submits inspection reports to the responsible supervisors for review; and understands, tracks and reviews the improvement of the findings and problems raised by the inspection, to confirm that the internal and external related personnel and units all follow the company's information and communication security policies and information security management methods.

2. Information and communication security policy

   •  Implement information security management methods
   •  Avoid using unauthorized illegal software
   •  Ensure that information and communication equipment and backups operate normally every day
   •  Backup completely, ensure disaster recovery and database restoration
   •  Log in and out of the computer room control records in detail, protect the physical security of the computer room
   •  In order to implement the employees' compliance with information security regulations, all personnel must sign the information security commitment letter
   •  In order to ensure strict control of information and communication equipment, we will implement computer room equipment abnormal records and computer room equipment list
   •  Establish a rigorous disaster recovery process, ensure the timeliness of information and communication service recovery
   •  Implement information requirements application, review various information operations
   •  Conduct network group control, distinguish between internal and external network policies, limit access scope
   •  Strict account separation management, control authorized access
   •  Complete data destruction operation records, prevent the company's sensitive information from leaking
   •  Join the information security information sharing and analysis organization, grasp the information security threats and weaknesses, prevent and respond in advance
   •  Regularly hold employee information and communication security education and training, enhance the information security awareness of all staff
    

3. Specific Management Plan

   To achieve information security policy and objectives, establish comprehensive and complete information security protection, and implement information security management matters and specific management plans based on the following contents:
   •  Use next-generation firewall and introduce international intelligence protection database for joint defense, produce network attack event report every day, to provide information security responsible personnel with timely response measures.
   •  Choose international software giant's email service system, guarantee 99.99% service availability, and work with protection module, to protect email and collaboration, avoid zero-day malicious code, phishing and business email leakage risk.
   •  Install advanced MDR anti-hacking software on information host and computer, and entrust vendor to monitor and protect 24 hours, produce information security report every month, review recent information security events with information security partner vendor every quarter.
   •  In addition to regular backup, information service performs disaster recovery drill for core information service every year, to strengthen information security responsible personnel's disposal ability after encountering natural or man-made disaster.
   •  Perform account separation management according to personnel's job responsibility, special privilege must be applied for approval and backup, and regularly change personnel account password, require password complexity, to reduce risk.
   •  Regularly conduct information security education and training, to enhance personnel's information security awareness.
   •  Join TW-ISAC computer network crisis handling and coordination center's information security intelligence sharing organization, obtain information security early warning intelligence, information security threat and weakness information.
    

4. Resources for Information Security Management

Information security has become an important issue for the company's operation, and the corresponding information security management matters and resource allocation plan are as follows:
•  Dedicated personnel: The "Information Security Management Department" of the company's organization is responsible for information security, with one full-time information security manager and one information security staff, who are in charge of the company's information security planning, emergency response, incident handling, technology introduction and audit, to maintain and continuously strengthen information security, and complete the information security dedicated personnel declaration for listed companies.

•  Information security organization structure:


Customer satisfaction: No major information security incidents, no complaints of customer data loss.

Signing information security commitment: All employees and new employees have completed signing the information security commitment.

Information security announcement: One information security promotion was issued this year, conveying the relevant regulations and precautions for information security protection.

Information security awareness enhancement: For all employees, social engineering attack drills are conducted every year, and 172 employees participated in the drill in 2023.

Using the company's online learning platform and new employee orientation, comprehensive information security related education and training are implemented, and the total learning hours in 2023 reached 91.5 hours.

Intellectual Property Rights Management Project

The “Intellectual Property Rights Management Policy” is specified in order to encourage employees of the company to uphold the concept of continuous innovation and work improvement and carry forward this ethos, increase employees’ participation intention, ensure business confidentiality and R&D results, maintain the ethics of industry and competition, and value and accumulate intellectual property rights so as to enhance the competitiveness of the company.

Patent Protection and Management

The company complies with various technology research and development projects for the patent deployment to enhance the company’s product value and profitability. In addition to dividing patents into stages such as development and research, patent proposal, patent approval, promotion and application, and benefits evaluation, bonuses are given to patent proposers as encouragement and listed as a reference for employee performance assessment to stimulate patent proposals; in the meantime, application documents for intellectual property rights are reviewed and submitted with the assistance of professional patent law firms in order to increase the probability of approval by the Intellectual Property Bureau. During the process of research and development, a patent law firm will also be entrusted to conduct a patent search for related technologies and a patent deployment will also be carried out to reduce the risk of infringement.

Business Confidentiality Protection and Management

The company and all employees have signed the “Employment Contract,” among which, the regulations related to the protection of business confidentiality are as follows:

• Employees shall keep and maintain business confidentiality with the duty of care as kind managers.
• Employees hired by the company shall not disclose or use any confidential information of their previous employers.
• During an employee’s tenure, any business confidential information done related to the job shall belong to the company.
• After an employee resigns, he or she shall still comply with the obligation of confidentiality, shall not disclose any business confidential information, and shall not use the company’s business confidential information within one year; the rights to take legal action and compensate the company’s loss will be reserved.

Implementation Status

The implementation status is as follows in 2023:

• Held monthly meetings to review feasible technologies and convert them into patents or business confidential information in order to enhance the company’s intellectual property protection awareness and acknowledgment, and achieve the annual KPI target for intellectual property rights.

As of the end of 2019, the achievements of the company’s intellectual property rights are as follows:

• The company has reported the issues related to intellectual property to the board of directors on November 6, 2023.A total of 18 new patents will be added in 2023.