Information Security
◎Information Security Risk Management Structure
According to the order from the Financial Supervisory Commission on 2023.12.28, the company has established the information security risk management structure, including setting up a dedicated information security unit, a dedicated information security supervisor, and a dedicated information security personnel, business report to the Board of Directors, and these informaiton has uploaded to the Taiwan Stock Exchange system for registering information security personnel of listed companies.
◎Investment of Information Security Resources
The company's investment in the field of information security in 2025 amounted to approximately $8.84 million NTD. It has set up a dedicated information security manager and a dedicated information security personnel, and held regular meetings once a month. The company has also joined TWCERT /CC (Taiwan Computer Network Crisis Management and Coordination Center) Information Security Alliance (Taiwan CERT/CSIRT Alliance) members to continue receive and share information security information to strengthen company information security.
01.Personnel management and information security education and trainings
- For the positions and tasks related to information, a security assessment shall be undertaken; for the personnel appointment and task assignment, the competency of personnel shall be prudentially assessed with the necessary appraisal.
- For the demands of different job categories, including management, sales, and information, the information security trainings and promotions shall be conducted regularly, to establish the security awareness of employees and improve the information security level.
- The head of each unit and officers at each level shall supervise their subordinators for the information operation security, and prevent the illegal and undue conducts.
02.Computer system security management
- Where the information operation is outsourced, the information security needs shall be researched and submitted in advance, the information security responsibility and non-disclosure requirements of contractors shall be specified in the contracts, to require the contractors' compliance and regular appraisals.
- The control system shall be established for any change to the system, and the records shall be established as well for the reference.
- Where any software is copied or used, the related regulations and contracts shall be complied with, and the management system shall be established for software use.
- To ensure the normal operation of systems, the necessary prior preventive and protective measure shall be taken, to detect and counter computer virus and other malware.
03.Cyber security management
- For the information system availing the external connection, technologies or measures at various security level, including data encryption, identification, e-signature, firewalls, and security fragility detection shall be applied depending on the importance and value of the data and system, to prevent the invasion, damage, alteration, deletion and unauthorized access of data and systems.
- The network points connecting to external networks shall be controlled for the data transmission and resource accessibility between external and internal networks with firewalls and other needed security facilities.
- Where any information is published or disseminated via the internet or worldwide web, the data security level assessment shall be conducted; data and document classified, sensitive, or personally private without consent of the involved parties, must not published online.
- The regulations of using e-mails shall be prescribed; the classified data and document shall not be transmitted via e-mail or other digital methods.
04.System access control
- The system access policies and the accesses of personnel at different level shall be specified, and such shall be informed to the employees and users for their related accesses and responsibility in writing, electronic means or other methods.
- For the resigned and retired personnel, all their access to any information resources shall be cancelled, and such cancellation shall be listed as a required procedure for resignation or retirement. Where any position is adjusted or rotated, the system access authorization requirement shall be complied with to adjust the access of the adjusted or rotated.
- To enhanced the security management of the operation systems, the system user registration management system shall be established, and the user’s password management shall be implemented. The update cycle for the password shall not exceed six months, as a principle.
- For these system service providers who maintain the system remotely, the security control shall be enhanced; the personnel roster shall be established to hold them accountable for the related security and confidentiality.
- To ensure the information security, the information security audit system shall be established, to conduct the information security audit regularly or from time to time.
05.System development and security maintenance management
- Where a system is developed in-house or in the manner of outsourcing, at the beginning phase of the system life cycle, the needs of information security demands shall be taken into account; the maintenance, update, onboard, and version change shall be controlled for security, to prevent any undue software, backdoor, or computer virus from endangering the system security.
- For the vendors’ personnel for building and maintaining soft- and hardware, the scope of systems and data accessible to them shall be regulated and limited; their accesses shall be cancelled immediate after their works are completed.
- Where any vendor is contracted to build and maintain key soft- and hardware, they shall proceed the works under the supervision of and by accompanied by the Company’s related personnel.
06.Information asset security management
- For the information assets defined as “software” and “hardware,” the lists and directories shall be established, including information such as the item, name, users of the asset for the management.
- For the information assets defined as “data,” the protection measures shall be prescribed.
- All hardware information assets storing “data” shall not be brought out of the Company as a principle. If the device is brought out due to malfunction or scrapping, the data shall be fully cleared to ensure the security of the classified and sensitive data.
07.Physical and environment security management
- For the placement, surrounding environment, and personnel access control of the information related equipment, the physical and environment security control measures shall be prescribed.
08.Planning and management of business continuity plan (BCP)
- The business continuity plans (BCP) shall be established, to assess the impacts from various man-made and natural disasters on the business operation, prescribe the contingency and recovery operating process and the authorities and accountability of related personnel. The BCPs shall be drilled, adjusted and updated periodically.
- To maintain the normal operation of business, an emergency handling mechanism shall be established for the information security incident. Shall any information security incident occurs, it shall be reported to the information unit or personnel and the responsive measures shall be taken. If needed, the law enforcement authorities shall be contacted for investigation.