Information Security Management

Information Security Management

Information Security Management

Information Security Management Strategy and Structure

With the advancement of the internet, various hacking tools and malicious software are evolving rapidly, and incidents such as ransomware and other cyberattacks occur frequently. This highlights that information systems cannot be entirely protected from targeted cyberattacks by third parties. These attacks may infiltrate internal company networks through phishing emails, software vulnerabilities, brute-force attacks, and other means, aiming to cause damage or steal data. The Company has developed relevant policies, organizational structures, and procedures in response to information security risks, in order to reduce operational risks.

Management Unit

In light of the importance of information security, the Company has established corresponding security policies and standard procedures. The responsible management units are required to submit monthly written reports to the General Manager detailing the governance and implementation status of information security from the previous month.

Information Technology Division
  • Formulation of information security policy
  • Formulation of standard operating procedures that comply with laws and regulations
Owner Unit

The department responsible for information security is the Information Technology Division. It includes the Information Security and System Engineering Department, staffed by a manager and several professional IT engineers. This team is responsible for planning, executing, and promoting information security management tasks, as well as raising awareness of information security.

Information Security and System Engineering Department
  • Information security education and training
  • Implement in accordance with standard procedures using the latest information technology
Supervisory Unit

Internal auditing of information security is conducted by the Auditing Office, while external audits are performed by certified public accountants. Regular internal and external audits are carried out to ensure ongoing improvements and to minimize information security risks.

Auditing Office/Third-party Audit
  • Periodic audit of implementation outcomes to review and request improvement of deficiencies

Information Security Policy

 
Enhancing Information Security Awareness

Raising the overall level of information security awareness and building an information security environment to protect the Company's intellectual property, protect company interests, and ensure the continuity of each unit's information systems.

Ensuring
Confidentiality

Ensure the confidentiality, integrity, and accessibility of the Company's trade secrets and operating information as well as boost operating performance and quality.

Ongoing Research and Development

Continued investment in the research and development of advanced technologies represents a critical part of the Company's competitiveness. An increasingly hostile network environment means that the protection of confidential data is now the joint responsibility of all Company employees.

Information Security Task Force

Establishment of an information security task force by the Company to raise consensus and protection of information security through cross-departmental integration.

Information Security Management

  • To ensure the security of the Company’s trade secrets and other confidential information, the Company has established comprehensive information security management policies, including Information Security Management Regulations, password principles, email usage guidelines, backup management guidelines, a system recovery plan, and software management regulations. The Company continues to strengthen inspections and evaluations of its network and system architecture in order to enhance and reinforce the protection of both hardware and software security systems.In addition, to ensure the integrity of information security, the Company has joined the cybersecurity information-sharing and incident notification network of TWCERT/CC (Taiwan Computer Emergency Response Team / Coordination Center). The Company has also established an internal information security awareness section and promotes cybersecurity awareness through regular training programs, ad-hoc announcements, and periodic social engineering simulation exercises to foster proper information security awareness and behavior among employees.In 2025, the Company engaged an external cybersecurity team to conduct penetration testing to strengthen defenses against identified vulnerabilities, and continues to refine its whitelist-based outbound email management policies to reduce the risk of data leakage and enhance the Company’s overall information security defense capabilities.
  • To ensure preparedness for major unforeseen disasters, the Company conducted off-site backup drills and information security incident response drills in 2025 in accordance with its Information Security Incident Management Procedures and Off-site Backup Plan.

Specific Information Security Control Measures

  • The Company adopts multi-layer firewall protection to restrict external access and reduce the risk of exposing its information systems to external networks. Internal and external networks are separated to isolate the Company's critical information environment.
  • Security threats are blocked through firewalls, email filtering systems, Trojan and virus detection mechanisms, endpoint protection systems, and multi-factor authentication. Internally, regular vulnerability scans and patching are conducted, while compliance audit software is used to track and manage internal IT equipment to ensure devices are not compromised.
  • For data security, local and off-site backups are performed periodically for key systems and data in accordance with internal policies. Data is encrypted to reduce the risk of damage and to protect the Company's critical information environment, lowering the likelihood of business disruption caused by external network intrusions. Mechanisms are in place to prevent internal data leakage and collect access logs. Empirical rules are applied to identify suspicious behavior, enabling real-time analysis and alerts to immediately block potential data leaks and ensure uninterrupted business operations.

Confidential Information Management

  • The Company places great importance on the protection of confidential information. In addition to managing trade secrets and confidential data in accordance with relevant procedures, employee training is also implemented to safeguard the interests of stakeholders. For the management of confidential information involving the Company, clients, and suppliers, in addition to relevant information security regulations, the Company has also established the following: Personnel Management Guidelines, Non-Disclosure Agreements, a Product Development Management System, and Strategies for Top-Secret Projects.
  • In 2025, the Company received no complaints regarding customer privacy violations and experienced no information security incidents involving the leakage of confidential information.
 
Personnel management regulations

Includes non-disclosure agreements for employees upon hiring and separation, as well as implementation of strict access controls.

Non-Disclosure Agreements

Signing of non-disclosure agreements with clients and suppliers (contracts, declarations) as well as enforcement of confidentiality rules.

Product Development Management System

All product development is conducted in accordance with the product development process and supported through the "Product Development Management System." Different permissions for personnel in different roles at each stage ensure both the rigor of the product development process as well as the security of project information.

Top-Secret Project
Strategy

For highly confidential client-specific projects, the Company has developed management procedures for handling client confidential information and established restricted areas with complete isolation of personnel, IT equipment, and information files. All data in these areas is further protected through encryption zones to ensure there is no risk of data leakage.

Investments in Resources for Cyber Security Management

In order to implement the principles of the cyber security policies, the following resources are invested:

 
Hardware devices

Firewall, mail anti-virus, spam filtering, Internet behavior analysis and intrusion prevention, etc.

Software systems

Endpoint protection system, backup management software, file auditing, multi-factor authentication, privileged account management, compliance security and data breach protection.

Telecommunications services

Multiple lines backup, prevention of distributed denial-ofservice (DDoS) attacks, etc.

Regular Execution

Daily system status check, weekly backup and implementation of backup media off-site storage, at least two information security awareness sessions every quarter, annual drill of system disaster recovery implementation, and annual internal and external auditing of information cycle, etc.

Cyber security manpower

One cyber security supervisor and several cyber security personnel, responsible for cyber security structure design, cyber securitymaintenance and monitoring, cyber security incident response and investigation, cyber security policy review and amendment, and monthly cyber security status report to the President by the cyber security supervisor.

Cyber Security Management Performance

  • To ensure the direction and suitability of the information security policy, the Company has established a dedicated information security unit responsible for formulating information security policies and objectives, implementing information security management plans, and regularly reviewing the policies. The Company reports the status and results of its information security management to the Board of Directors on an annual basis. The most recent report to the Board was submitted on August 5, 2025.
  • To enhance employee awareness of information security, in addition to regular information security awareness campaigns, unannounced social engineering exercises are conducted irregularly each year. The results of these exercises are reviewed and improved upon to strengthen the information security awareness of each unit and employee.
  • To continuously enhance information security management, in addition to establishing regular review and exercise mechanisms, the Company also supervises dedicated information security personnel to participate in professional training and obtain international certifications covering areas such as information security management, penetration testing, and privacy protection. Through a structured education and certification program, the Company ensures that the information security team possesses diverse professional capabilities and continuously strengthens overall defense capabilities to address rapidly evolving information security risks.
  • The Company has effectively implemented information security management, and the implementation results of its information security measures in 2025 are summarized below:
Policy
4 
Specifications

Amended 4 information security–related SOPs
001/002/011/017
 

Communication / Drills
16 
information security education sessions
  • Publish monthly information security communications
12 
social engineering drills
  • Conducted semianually
Incident
462 
real-time information security alerts
  • Effectively issued 462 real-time information security alerts through self-developed information security tools.
  • Collect information from relevant systems and designate the rules of experience exclusive to the Company to develop self-owned information security tools
109 
reported cases analyzed

Analysis of information activities of 109 cases reported.

Questionnaire
4.32 points (out of 5)
Information Security Satisfaction
  • Conducted two questionnaires of all employees in 2025
  • Satisfaction of OA, RD, and  executives regarding information security 4.32 points
  • Completion rate was 76.35%
  • Continue to collect employees' recommendations for suggestions on information security through questionnaires to continue improving the Company's information security environment
Execution record
7,585 
threatening e-mails

Successfully blocked 7,585 threatening e-mails

 

 

 

 

 

 

 

 

 

 

264,103 times/month
network attacks 
  • The average number of high-risk attacks blocked was 26,069 times per month
  • The average number of mid-risk attacks blocked was 196,683 times per month
  • The average number of severe-risk attacks blocked was 181 times per month
24,701 times/month
virus isolations

The average virus and safety isolations was 24,701 per month
 

 

 

 

 

 

 

 

 

1,317 times/month
targeted login attempts

Blocked 1,317 targeted login attempts per month

 

 

 

 

 

 

 

 

 

Investor Contact

If you have any investor-related questions, please contact us.

Finance Department Investor Relations
Ms. Lin

Tel:+886-3-6661818 #2801

Stock Agent
Taishin Securities Co., Ltd. Stock Agency Department

Tel:+886-2-25048125

Address:

B1., No. 96, Sec. 1, Jianguo N. Rd., Zhongshan Dist., Taipei City , Taiwan (R.O.C.)