Home Corporate Governance Corporate Charter

 Information Security Risk Management Framework

The Information Technology Department operates as an independent department and is not subordinated to any user unit. It is responsible for planning and executing information security policies, promoting information security awareness, enhancing employees’ security knowledge, and continuously collecting and improving the effectiveness of information-related technologies and procedures.

The Department is responsible for the management of network security, information and data security, data center security, email security controls, and information system access and authorization management.

Internal and external audits conduct at least one annual review of internal information security implementation, and an information security status report is presented to the Board of Directors at least once a year.

Information Security Policy

  • To ensure that information services are provided in a stable manner and that business operations can continue without disruption.
  • To ensure the confidentiality, integrity, and availability of information assets under custody, and to protect personal data and privacy.
  • To establish information business continuity plans and ensure information-related operations comply with applicable laws and regulatory requirements.

Specific Information Security Management Measures

The Company has implemented the following key information security risk management measures, which have effectively protected information security:

No. Item Specific Management Measures
1 Firewall Protection Firewall connection rules are configured and enforced. Special connection requests require prior application and approval before access is granted.
2 Antivirus Software Antivirus software is deployed and virus definitions are automatically updated to reduce the risk of malware infection.
3 Operating System Updates Major and security updates for operating systems are centrally managed through an automatic update system and automatically deployed to company computers.
4 Email Security Controls Email systems are configured with automatic threat scanning and filtering to block unsafe attachments, phishing emails, spam messages, and malicious links before users receive them.
5 Data Backup Mechanism All critical information system databases are backed up daily, with off-site backup arrangements in place.
6 Critical File Server Important departmental files are centrally stored on company servers to ensure unified management and protection.

Implementation Status

  1. The Company implemented the ISO/IEC 27001:2013 Information Security Management System in 2022 and passed certification on December 19, 2022. Surveillance audits were successfully completed on November 17, 2023, and November 19, 2024. In 2025, the system was upgraded to ISO/IEC 27001:2022, and certification was obtained on September 9, 2025. The certification is valid until December 18, 2028.

  2. To date, there have been no significant information security incidents resulting in material business losses.

  3. Information security meetings are convened on an ad hoc basis to discuss relevant issues. An information security status report was presented to the Board of Directors on December 18, 2025.

  4. The Company will continue to implement information security management policies and objectives, and will regularly conduct disaster recovery and business continuity drills to safeguard critical systems and data.

Resources Invested in Information Security Management

  1. In accordance with the ISO/IEC 27001 international information security standard, the Company has established relevant information security policies and procedures, including information security education and training as well as business continuity exercises. These measures enhance employee awareness and effectively reduce risks of improper use, leakage, alteration, or damage to information assets arising from human error or natural disasters.

  2. In 2025, general employees completed three hours of information security training, while information technology personnel completed at least four hours of specialized information security training.

  3. The Company’s information security-related budget investment in 2025 amounted to approximately NTD 697,271.