Information security risk management

Information and communication security risk management architecture

The Company's "Cybersecurity Management Office" is responsible for formulating internal cybersecurity policies, planning and implementing cybersecurity operations, and promoting and enforcing cybersecurity policies.
The Company's Audit Office is the auditing unit for cybersecurity supervision. If deficiencies are found during audits, the audited unit will be immediately required to submit relevant improvement plans to the Board of Directors, and the effectiveness of improvements will be regularly tracked to reduce internal cybersecurity risks.
Organizational Operation Model - Adopting PDCA (Plan-Do-Check-Act) cyclical management to ensure reliability, goal achievement, and continuous improvement.

Cybersecurity Policy

Maintain the continuous operation of all information and communication systems
Prevent hacking, virus intrusion, and damage
Prevent unauthorized and illegal use by human agents
Prevent the leakage of sensitive information
Avoid accidents caused by human error
Maintain the security of the physical environment

Resource investment in information and communication security

The "Cybersecurity Management Office" is staffed with a dedicated cybersecurity supervisor and a staff member, who is concurrently a colleague from the company's IT department. They conduct quarterly reviews of cybersecurity management. The IT department reviews and plans the implementation of critical cybersecurity tasks, such as operating system or critical software upgrades for mainframes and disaster recovery drills, quarterly. Through unscheduled cybersecurity health checks, they assess for vulnerabilities in IT equipment resources and system configurations, and implement cybersecurity budgets accordingly. Furthermore, they have signed cybersecurity protection agreements with judicial authorities to establish a collaborative cybersecurity defense mechanism.

Emergency notification procedure

When an information security incident occurs, the unit where the incident occurred shall notify the Information Department, determine the type of incident and identify the problem, handle it immediately and keep a record.

Specific Management Plan for Information and Communication Security

Category	Description
Computer equipment security management	Our company's mainframe computers, application servers, and other equipment are all located in a dedicated server room, and access records are maintained for future reference. The server room is equipped with independent air conditioning to maintain a suitable temperature environment for the computer equipment; and chemical fire extinguishers are available for use in general fires or fires caused by electrical hazards. The server rooms are equipped with uninterruptible power supplies (UPS) and voltage regulators to prevent system crashes caused by unexpected power outages, or to ensure that computer applications will not be interrupted during temporary power outages.
Network security management	The entry point for connecting to the external network is equipped with an enterprise-grade firewall to block unauthorized intrusion by hackers. Employees accessing the ERP system remotely via the company intranet must apply for a VPN account and log in securely through the VPN. All usage is recorded and auditable. Internet access management and filtering equipment is configured to control internet access, blocking access to harmful or policy-restricted web addresses and content, enhancing network security and preventing unauthorized use of bandwidth resources.
Virus protection and management	Both the server and the client's terminal computers are equipped with endpoint protection software. Virus definitions are automatically updated to ensure the blocking of the latest viruses, and the software can detect and prevent the installation of potentially threatening system executables The email server is configured with email antivirus and spam filtering mechanisms to prevent viruses or spam from entering the user's PC.
System Access Control	Colleagues' access to various application systems follows the company's internal system access application procedure. After approval by the responsible supervisor, the IT department creates a system account, and the respective system administrator authorizes access according to the requested functional permissions. Account passwords must be set with appropriate strength and length, and must contain a mixture of alphanumeric characters and special symbols to pass. When a colleague completes resignation/retirement procedures, the IT department will delete the relevant system accounts based on the HR resignation notice.
Ensure the continuous operation of the system	System Backup: A distributed backup system is established, employing a daily backup mechanism. Backup data is stored in each of the remote computer rooms, and a backup system is also established in a remote location to ensure system and data security. Disaster Recovery Drills: Each system conducts a drill annually. After selecting a restore date baseline, backup media is stored back on the system host. The user unit then confirms the accuracy of the restored data in writing, ensuring the correctness and effectiveness of the backup media. Two data lines are leased from the telecommunications company. Through bandwidth management equipment, the two lines are connected in parallel for mutual backup, ensuring uninterrupted network communication.
Cybersecurity awareness and training	Reminder and Promotion: Require colleagues to change their system passwords regularly to maintain account security. Cybersecurity Promotion: Provide cybersecurity case studies for colleagues' reference.