• Information Security Policy and Objectives

  Our company is firmly committed to protecting the privacy and security of customer and shareholder data. Our information security policy clearly defines our commitment to safeguarding customer information. The company’s information security objectives include ensuring data confidentiality, integrity, and availability, as well as complying with applicable privacy regulations and standards. The company has appointed an information security officer and a dedicated security specialist (a total of two individuals) responsible for overseeing and implementing these policies. As of 2023, eight security meetings have been held.

• Information Asset Classification and Assessment

  We actively classify and assess information assets to ensure that appropriate protective measures are applied to different categories of information. The sensitivity level of information affects how it is processed and stored, closely aligning with business processes.

• Information Security Architecture

  Our information security architecture includes key components such as network security, authentication, access control, encryption, security monitoring, and threat detection. These technologies and measures provide comprehensive protection for our information assets. On April 25, 2022, we obtained ISO27001:2013 certification, and we conduct annual verifications to ensure its validity, reflecting the company’s strong commitment to information security.

1. Risk Management and Compliance

   We actively manage risks through risk assessment and risk response planning to mitigate potential information security risks. The company ensures compliance with regulations such as the Personal Data Protection Act and continuously monitors compliance.

2. Employee Training and Awareness

   Our company is committed to employee education on information security best practices, providing at least two hours of training annually. In 2023, a total of 90 employees participated in training, achieving a 100% participation rate. Training covers handling sensitive information, password management, and preventing social engineering attacks. Employees are also informed on how to report information security issues.

3. Security Incident Response

   Our security incident response plan enables us to promptly detect, report, and respond to security incidents. We take proactive measures to prevent future risks, ensure the effectiveness of data backup and recovery mechanisms, and establish transparent reporting protocols for security incidents to safeguard the rights of shareholders and stakeholders. To date, no major cybersecurity incidents have occurred.

4. Partner and Supplier Management

   Managing relationships with partners and suppliers is part of our information security strategy, especially regarding data sharing and processing. We conduct regular third-party risk assessments to ensure data protection.

5. Performance Measurement and Metrics

   We utilize various performance metrics to evaluate our information security policies, including security incident rate, employee training participation rate, and security vulnerability remediation time. This data helps us continuously improve our security measures.

6. Annual Information Security Review

   Each year, we conduct an annual information security review to assess the effectiveness of our security policies and practices and ensure alignment with the latest standards. This review allows us to evaluate the efficacy of our security architecture.

7. Future Development and Trends

We will continue to closely monitor future developments and trends in information security, adjusting our strategies to address emerging threats and challenges. We are also committed to actively participating in industry compliance initiatives.