Information Security Management

With the development of technology, the information security risks faced by enterprises are increasing day by day. The company also pays attention to this issue. To strengthen information security management, protect security of computer information data, systems, equipment and networks of the company, prevent the improper use, leakage, alteration and destruction of information assets due to human negligence and deliberate sabotage, which may affect the normal operation of the computer operating system or damage the operations of the company, the company formulates an “Information Security Policy” for all colleagues to follow, and at the same time promotes it from time to time to enhance employees’ awareness of information security

Management Framework

The company assigns the IT department as the information security unit. Supervisor of the IT department concurrently serves as the company’s chief information security officer and has one information security personnel, jointly responsible for the maintenance and management of information security. They will regularly evaluate the appropriateness and effectiveness of information security policies, draw up a plan to strengthen protection measures and reduce information security risks, take ISO27001 as the benchmarks for information security management, and in the spirit of PDCA, continue to implement information infrastructure and information security measures to ensure the Security, Integrity and Availability of the company’s important information.

The IT department executes the routine information security inspections and submits inspection reports to the responsible supervisor for review and verification. The ratification status of the findings and issues addressed in such inspection shall be understood, tracked and verified to confirm that the information security policy has been complied with by the internal and external related personnel and units.

The company conducts the internal audit and the specific audit in accordance with the annual audit plan for the information and communications security inspection items of the company. The audit results are not only submitted to the Board of Directors but also reported to the chairman on a monthly basis or on an as need basis in order to provide the operation status of internal control functions to the management level so that they can understand the existing or potential issues and then made the optimization.

Specific Management Scheme

The company does not insured information security insurance, but the following specific management schemes are applied to minimize the information security risks. The company believes and expects that information technology can be enhanced and information security can be ensured through these efforts, so that the operation results of the company will be improved to promote the interests of all shareholders.

Respect the Intellectual Property The use of the network resources and information assets of the company means respecting intellectual property rights and preventing the following behaviors that may infringe on intellectual property rights:

• Use of unauthorized computer software.
• Illegal downloading or copying works or software that are protected by copyright laws.
• Uploading copyright protected works to a public website without the consent of the copyright owner.
• Randomly reposting articles published in internet discussion sections when reposting is expressly forbidden by the author.
• Setting up a website that allows the public to download protected works illegally.
• Other behaviors that infringe on intellectual property rights.

Authority Control over the Information System

• The control is managed in accordance with the Information Service Request Form that any modification to the System shall be approved by the immediate supervisor and the head of the IT department to reduce the risk of unauthorized modification of data.
• Users have the relevant functions in accordance with their given authority, and users of the non-relevant system do not have the authority to use the system that is not related to their business.

Security Control of the Account Passwords

• Each user shall have his/her own account and password. In the event of departure or transfer of employees, his/her account shall be deleted or renewed.
• The password of the user shall be updated regularly to reduce the risk of unauthorized use.

Regulations Governing the Use of Internet and Email The users shall not conduct the following behaviors:

• Spreading a computer virus or other programs that may interrupt or break the system functions.
• Using the internet resource or email to release official information outside the company without the permission.
• Hacking, impersonating the account and password of others or lending your own account to others without justifiable reasons.
• Abusing internet resources in any way, such as sending mass unsolicited marketing materials, chain letters or useless messages via email, or flooding mailboxes or robbing resources, etc. that affect the normal operations of the system.
• Conducting fraudulent or illegal transactions, and using defamatory, insulting, obscene, harassing, discriminatory language in messages or illegal software transaction distributed by e-mail, online chats, bulletin board system (BBS) or similar functions.
• Any use behavior that is not expressly regulated herein is prohibited if such behavior may endanger the information assets or information security of the company or if it violates the laws of the country.

Regulations governing the Use of Information Assets

• In the event that the information equipment of the company or own device is used, the latest version of the virus protection software issued by the company shall be installed, and its virus code shall be updated regularly.
• The IT department publishes information concerning the information security from time to time, such as update notices of the system software, introduction and prevention campaigns for common viruses, to ensure that employees are aware of relevant information.
• Backup the necessary data regularly.

Data Protection Mechanism for Information System and Server Room Management

• The documents in different classes are controlled by the access principle of divisional authorization, and the document management system establishes a document access security mechanism in accordance with the level of confidentiality, such as download forbidden, printing forbidden, and duplicating the content forbidden.
• The routine data backup is performed by the IT department which performs the operation for the data file backup of all application systems and fills out the Server Backup History Table as backup records; the data after backup is stored offsite in case it is needed again.
• Access control shall be installed for the Server Room and the computer server equipment shall be installed with appropriate security measures in case of fire, flooding and theft; an uninterrupted power system is installed to prevent damage caused by power interruptions.

Manual governing the Emergency Contingency Response and System Restoration

• In the event that an abnormal incident occurs to the computer server, the logout notification shall be immediately made to the user and the data backup operation shall be carried out.
• In the event that the restoration of the System is required due to any abnormality of system, the system restoration plan shall be prepared by the user with the help of the information personnel, which shall achieve the following objectives:
  • Disrupt the source of disaster as soon as possible to reduce the scope of the disaster.
  • Restore the operation of equipment as soon as possible.
  • Utilize the backup device or media to carry out the system restoration.
  • Notify the user to conduct the restoration work of time-difference data.
• The system restoration plan shall be rehearsed, tested and modified from time to time to ensure that the restoration can be done as soon as possible.

The incident handling process, response measures and daily prevention and protection for the Information Security Instances

Establish the response for various phases, as follows:

• Security Prevention: Establish various prevention, contingency and restoration plan and protection measures related to the software and hardware, environment, and personnel training for the system equipment.
• Emergency Response during the Incident: In the event of an intrusion or attack, activate the emergency response plan to minimize the damage caused by the incident promptly.
• Restoration Operation after incidents occurred: Review the existing protective measures, execute the restoration and reconstruction works, and amend the loopholes of the existing security mechanisms and related contingency plans in a timely manner.

Response Procedure for Security Incidents:

• Inform the Information Unit promptly for Handling.
• Whether the incident is an information security incident that is judged by the Information Unit: Identify the incident that belongs to internal security incidents, external intrusion incidents, natural disasters or catastrophic emergencies and determine the response methods and procedures.
• The reporting level is determined based on the judgment and the damage control is carried out in line with various incidents to reduce the degree and scope of impact and to resolve the problem thoroughly.
• Restore the system back to its normal state of operation before the incident occurred and review the ratification and establish related preventive measures.

Daily Protection

• Promotion and education training shall be emphasized in order to increase the employees awareness of the information security risks.
• Adjust the network security level and acquire the equipment in accordance with the current situation from time to time.