Corporate Governance
- Index
- Investors
- Corporate Governance
- Information Security Management
Information Security Management
With the development of technology, the information security risks faced by enterprises are increasing day by day. The company also pays attention to this issue. To strengthen information security management, protect security of computer information data, systems, equipment and networks of the company, prevent the improper use, leakage, alteration and destruction of information assets due to human negligence and deliberate sabotage, which may affect the normal operation of the computer operating system or damage the operations of the company, the company formulates relevant policies for all colleagues to follow, and at the same time promotes it from time to time to enhance employees’ awareness of information security. Please refer to the Information and Communication Security Management Policy.
Management Framework
The Company has established a top-down governance framework to oversee information security management and ensure accountability, transparency, and effective risk oversight.
- Information Security Committee
Chaired by the President and composed of senior leaders from relevant departments, the Committee meets annually to review strategy, assess risk posture, and monitor the effectiveness of security initiatives.
- Chief Information Security Officer (CISO)
Held by the Head of the IT Department, the CISO is responsible for coordinating information security management, reporting on risk conditions, and supporting continuous improvement efforts.
- Supporting Teams
- Cyber Incident Response Team: Handles incident reporting, containment, investigation, and recovery, and conducts periodic exercises.
- Security Management Team: Oversees daily security operations, training, policy implementation, and audit follow-up.
- Internal Audit Team: Conducts audits, evaluates compliance, and provides recommendations for improvement.
Cyber security policies
The Company’s Cyber Security Policy covers
- Information Risk Management: Identifying information assets and potential risks on a regular basis to ensure the security of critical business systems.
- Access Control: Adopt the principle of least privilege, ensuring only authorized personnel have access to information.
- System and Network Security: Implementing Intrusion Detection and Defense Mechanisms to Prevent Unauthorized Access.
- Cybersecurity Training: Annual employee cybersecurity awareness activities to enhance prevention capabilities.
Data Breach Handling Measures
- Report to the internal security team for impact assessment.
- Take necessary technical measures to prevent leaks, such as disabling accounts and blocking affected systems.
- Provide detailed reports to the authorities and affected customers.
Response to Malicious Software Attacks
- Activate malware isolation mechanisms to prevent internal infection.
- Force affected devices to reinstall the operating system and security patches.
- Analyze the incident to enhance security defense capabilities.
Concrete management programs, and investments in resources
Management Mechanism
The company has established a clear cybersecurity incident reporting mechanism to ensure prompt response and minimize impact.
| Level | Type | Impact | Response Measures |
|---|---|---|---|
| I | Suspicious activity, phishing emails, single device malware infection | Affecting a single user | Internal logging, analyze root cause, ensure event traceability |
| II | Multiple account anomalies, small to medium-sized DDoS, unauthorized internal access | Affecting some systems | Activate emergency protocol, isolate affected systems, and report to management. |
| III | Critical system attacks, ransomware, data breaches | Affecting core operations | Implement Business Continuity Plan (BCP) and report to the authorities. |
| IV | Nation-state attack, massive data breach | Affecting all enterprise | Activate crisis management plan, report to regulatory agencies, and respond fully. |
Employee Cybersecurity Awareness Enhancement
Our company actively promotes cyber security education to ensure all employees have basic security knowledge and risk response capabilities.
- New employees: must complete the information security foundation training course.
- All employees: take security training at least once a year, including simulated phishing email tests.
- High-risk departments (such as IT, finance, HR): must take additional advanced security courses.
In 2024, we held a comprehensive security awareness training course for all employees, totaling 382 hours. The course covered social media safety, case studies, and email security guidelines, and the content was made available on our E-learning system for employees who missed the training.
Cybersecurity Investment and Infrastructure
The company continues to invest resources to strengthen information security management, including:
- Strengthen firewall and network security monitoring mechanisms.
- Conduct regular penetration tests and vulnerability scans to ensure system security.
- The email system adds multi-factor authentication (MFA), enhancing access security.