A.  Purpose：

When conducting business, each unit must assure the confidentiality, integrity, availability, and legal compliance of information.

• Confidentiality：Ensure that authorized personnel have access to the information.
• Completeness：Ensure accuracy and reliability of the information.
• Availability：Ensure that authorized personnel have access to the required information.
• Legal compliance：Ensure to follow relevant laws and regulations for setup or operation of the Infocom system.

   B.  Target：

• Every year, the key aspects of the information security inspection technique should be accomplished, and the risk of associated risks should be reduced.
• Improve data security awareness, strengthen detection capabilities, and defend against internal and external threats.
• Ensure that all measures and settings for outsourcing the construction, maintenance or service of the information communication system meet the requirements of the purpose.

   C.  Responsibility：

• Personnel associated with each business unit, including operations linked to contacting or utilizing information system services, should thoroughly comprehend the information security policy's purpose and objectives, as well as the relevant information security management rules.

  1. Check various network devices, close the default open or unused communication ports, and reduce loopholes caused by defects.

  2. The remote management device can alter the default port or set the source address connection rules.

  3. The firewall rules for each node should clearly define the source and purpose and the class of service.

  4. Install an endpoint protection and control center to double-check that definitions and event logs are updated.

  5. To limit the risk of email infection, combine an external email filtering method with endpoint protection scanning.

  6. Database anti-encryption backup and backup configuration.

  7. Important data is centrally managed, permissions are set, backed up and stored. 

To ensure the continuity of information security, information security management operations should follow the cycle mode of planning, execution, inspection, and continuous improvement, while also taking into account laws and regulations, technological evolution, and existing environmental resources to make appropriate and security-compliant additions and reviews.

• In October 2023, we added a dedicated security supervisor and security personnel to improve the implementation of our specific information security plans.
• In March 2024, we became a member of the Taiwan Computer Network Crisis Response and Coordination Center (CERT_CSIRT) alliance. This membership allows us to exchange security intelligence and proactively prevent potential threats, thereby enhancing our security defenses.
• The plan is to deploy MDR/EDR-related products to enhance endpoint protection and data protection.
• Periodically use current events as examples to promote information security and conduct two education and training sessions in this fiscal year. The sessions will have a total of 240 participants and will last for 5.5 hours each, aiming to enhance employees' awareness of information security.
• In response to the recent incidents of new types of attacks, the personnel responsible for information security have held meetings to discuss the emerging attack techniques, as well as the reported incidents and documents, and have promptly made adjustments to our defense measures.