中文版 | English

CSR

Information Security Policy

Cybersecurity Risk Management Framework

 
  • The Company’s information division, in accordance with legal requirements, has appointed a dedicated information security officer and information security personnel, and has established an Information Security Management Organization responsible for cybersecurity management, policy formulation and promotion, as well as the planning, implementation, and handling of related security matters. The dedicated information security officer reports to the Board of Directors at least once a year.
  • Information regarding cybersecurity management in 2015 was reported to the Board of Directors on 2015/11/7.

 

Information Security Policy

 
  • To continuously improve and strengthen the Company’s information security management, ensure the confidentiality, integrity, and availability of its information assets, comply with relevant laws, regulations, and contractual requirements, and establish and maintain a secure, reliable information environment that supports continuous business operations, thereby protecting information assets from intentional or accidental internal and external threats.

 

Information Security Objectives

 
  • Ensure that all of the Company’s information operations comply with applicable laws and regulations.
  • Ensure that all personnel understand their information security responsibilities, protect information assets, and reduce the risk of information security incidents.
  • Ensure the confidentiality of the Company’s information assets by implementing access controls, so that information can only be accessed by authorized personnel.
  • Ensure the integrity and accuracy of the Company’s information operations management, preventing unauthorized modifications.
  • Ensure the continuity of the Company’s information operations in accordance with the required operational service levels.

 

Information Security Organization

 

 

Specific Management Plan

 

To achieve the information security policy and objectives, and to establish comprehensive cybersecurity protection, the following specific management plans are implemented:

  • The Company obtained ISO 27001 international information security management system certification on January 13, 2025.
  • Strengthened management of external visitors and devices effectively reduces the risk of unauthorized external devices accessing the Company’s network.
  • Strengthen account and permission management(AD、Exchange、VPN).
  • Enhance cybersecurity defenses by regularly conducting staff information security training, issuing security notifications, and internalizing awareness of security protection to reduce information security risks.
  • Conduct regular social engineering exercises to enhance employees’ daily operational awareness and collectively maintain information security.
  • Conduct regular computer vulnerability scans and address related issues to strengthen internal computer protection.

 

Resources Allocated to Information Security Management

 
  • ISO 27001 Certification
    1. The Company officially obtained ISO 27001 international information security management system certification on January 13, 2025. The Company’s information security policies and control processes comply with international standards.
    2. Certificate Validity Period: January 13, 2025 – January 12, 2028
  • Vulnerability Scanning and Social Engineering Protection
    1. One vulnerability scan was performed, detecting a total of 27 potential risks on servers and network devices. The remediation has been completed with a 100% completion rate.
    2. Four social engineering exercises were conducted, simulating a total of 1,200 phishing emails. The overall click rate decreased from 23% in the first exercise to 1%, demonstrating a significant improvement in employees’ information security awareness.
  • A total of three information security training sessions were conducted, with a cumulative attendance of 156 participants. The training covered:
    1. Information Security Policy and Employee Responsibilities
    2. Password and Account Management Practices
    3. Phishing Emails and Social Engineering Identification

ISO 27001 Certificate