0
EN
繁中 简中 EN 日語
Information Security Policy

To strengthen information security protection, the Company has adopted appropriate management measures and implementation plans as follows:

  1. Appoint a Chief Information Security Officer (CISO), to be held by a Vice President-level executive or another suitably designated individual. At least one management review meeting shall be held annually, with extraordinary meetings convened when necessary, to ensure continual improvement of information security management.
  2. Establish an Information Security Management Organization responsible for the development and promotion of information security systems and initiatives.
  3. Define effectiveness measurement items and methods to achieve the Company’s information security objectives.
  4. Identify potential risks and opportunities related to information assets and operational processes, and implement necessary controls to reduce, avoid, or transfer risks, thereby preventing information security incidents.
  5. Identify the organizational context, internal and external interested parties, and their degree of involvement in information security protection, and clearly define the duties, responsibilities, and authorities of personnel.
  6. Identify the types of products and services provided by suppliers, ensure compliance with legal and regulatory requirements as well as information security requirements for access to information or information processing facilities, and specify such requirements in contracts and agreements with periodic reviews.
  7. Establish management regulations for equipment, data security, personnel management, and mechanisms for reporting and responding to information security incidents.
  8. Establish mechanisms for information security audits and the preservation of necessary usage records, audit trails, and evidence to fulfill due diligence responsibilities.
  9. Conduct regular information security awareness training for employees, and provide appropriate education and training for dedicated information security personnel, IT personnel, and personnel responsible for personal data files.
  10. Develop internal audit plans to review the implementation of the Company’s information security management measures and take appropriate corrective actions based on audit findings.

This Policy shall be reviewed at least once annually based on business changes, technological developments, and risk assessment results, with review records maintained and continual improvements made to ensure its effectiveness and suitability in compliance with legal, regulatory, technical, and operational requirements. This Policy shall take effect upon approval by the Chief Information Security Officer.