stshine

Staff area

Investor Relations

Corporate Governance

Board of Directors

Corporate Governance

Functional Committee

Internal Audit

Major Internal Policies

Information Security

risk-management

home > Investor Relations > Corporate Governance > Information Security

Information Security Policy

  1. To ensure the security of corporate information and safeguard the rights and interests of the company and stakeholders, the company has established an Information Security Center, overseen by the General Manager. The Information Security Center is responsible for developing annual information security strategies and plans, coordinating the utilization of relevant resources, overseeing information security incident management, planning and conducting information security education, and collaborating with audit units to perform information security audits.
  2. The Information Security Center aims to effectively implement information security management, ensuring the efficient operation of information and network systems while maintaining their confidentiality, integrity, and availability. Following the management cycle of Plan-Do-Check-Act (PDCA). It reviews the applicability of information security systems and protective measures, continually assesses effectiveness, and enhances the management framework for information and network system security.

Information Security Organization and Objectives

Information Security Organization

To promote information security policies and ensure the implementation of incident reporting and emergency response, the Chief Information Security Officer (CISO) has established the Information Security Center. Four dedicated task forces have been formed under this center, each responsible for executing specific operations based on their respective functions: Coordinating the allocation of responsibilities for information security matters across departments.

  1. Information Security Response Group :
    Responsible for the handling and emergency response of information security incidents. This includes incident reporting, preliminary analysis, coordination of containment efforts, recovery tracking, and improvement recommendations, ensuring that incidents are controlled in a timely manner and their impact is minimized.
  2. Document Control Group :
    Responsible for the management of information security-related documents and records. This includes the formulation, version control, distribution, retention, and updating of policies, procedures, and operational documents to ensure compliance with standards as well as consistency and traceability.
  3. Audit Group :
    Responsible for conducting scheduled and unscheduled information security audits and inspections. The group reviews the implementation of security measures and processes, provides audit findings and improvement recommendations, and serves as a basis for management to drive continuous improvement.
  4. Personal Data Protection Group :
    Responsible for the formulation and amendment of personal data protection management regulations and related systems. The group identifies, assesses, and manages risks associated with personal data and information security, and performs regular reviews to ensure the legal compliance and effectiveness of these systems.

Information Security Objectives

  1. Confidentiality: Ensure that sensitive information is only accessible to authorized personnel.
  2. Integrity: Prevent unauthorized modification or damage to data, ensuring its accuracy and reliability.
  3. Availability: Ensure that systems and resources are available when needed and can withstand unexpected failures or attacks.
  4. Legal and Regulatory Compliance: Comply with all applicable laws, regulations, and standards, including privacy protection laws.
  5. Risk Management: Identify, assess, and mitigate information security risks, and take appropriate measures to address them.
  6. Education and Training: Provide security awareness training and education to employees, users, and relevant stakeholders.
  7. Emergency Response: Establish an effective emergency response plan to address security incidents and violations.
  8. Continuous Improvement: Continuously review, update, and improve security policies, measures, and procedures.
  9. Technical Protection: Deploy technical security measures such as firewalls, intrusion detection systems, etc., to protect systems and networks.
  10. Physical Security: Protect hardware, equipment, and facilities to prevent unauthorized intrusion.

Information Security Protection and Control Measures

Identifying Information Assets and Risk Assessment

Conduct regular discussions on core business operations to confirm their content. Establish and review an inventory of core system information assets, identifying their value. Conduct an inventory of information system assets, classify them based on asset attributes, and label core information systems.

Access Control and Encryption Mechanism Management

The purpose of access control and encryption mechanism management is to implement security measures to protect sensitive information and critical systems. The enterprise takes the following actions to ensure the security of information assets.

Operations and Communication Security Management

  1. Implement control measures against malware.
  2. Hosts and personal computers need to have antivirus software installed, and both software and hardware should be maintained in time.
  3. The file obtained from any form of storage media must be checked for the presence of malware or viruses.
  4. Do not install software from unknown sources, with legal concerns, or unrelated to business without prior consent.
  5. Set up a firewall to defend against external threat attacks.
  6. Establish anti-virus software, network firewalls, and continue to apply them and perform necessary software and hardware updates or upgrades in a timely manner.
  7. Back up log records of information security equipment and review the execution status regularly.
  8. It is prohibited to privately install computers, network communication devices, or related equipment in the office.
  9. It is prohibited to use company network communication devices or related equipment on personal devices.

Email Security Management

  1. When using email, exercise caution and avoid opening emails from unknown sources.
  2. Do not transmit confidential or sensitive data via email. If there is a business need, follow relevant guidelines for encryption or other protective measures.
  3. Do not use the company's provided email services for activities that infringe upon the rights of others or engage in illegal activities.
  4. Conduct email social engineering drills and review their implementation.
  5. Implement an email filtering mechanism to reduce spam or malicious email infiltration.
  6. Implement an email archiving system that retains emails in their entirety with searchable access to satisfy legal and audit requirements (both internal and external), facilitate subsequent analysis of cybersecurity incidents (e.g., social engineering, data leakage, insider abuse), and mitigate risks associated with email deletion or alteration.

Computer Room Management

  1. Personnel and equipment entering and exiting the computer room should be authorized and recorded.
  2. Security detection and protective measures are installed in the computer room to minimize risks arising from an unsafe environment.
  3. The computer room is regularly monitored for temperature, humidity, and electrical safety.
  4. All equipment undergoes regular inspections and maintenance.

Sensitive Data Protection

The organization shall monitor and control the use of data in email, file transfers, cloud services, and removable devices by means of technical tools to prevent abnormal data exfiltration. Access and operation logs shall be maintained, and regular monitoring and audits shall be conducted to facilitate the tracking of anomalous behavior and support incident investigation. Measures shall be implemented to prevent unauthorized access, disclosure, or misuse of personal data, trade secrets, financial information, and other sensitive information in accordance with applicable security requirements.

Security Management for Computer Usage

  1. Personal computers should be logged out or have the screen lock activated immediately when not in use.
  2. Installation of unauthorized software is prohibited.
  3. Personal computers should undergo regular updates for operating systems, application patches, and antivirus definitions.
  4. Important data should be regularly backed up, and the integrity of backup data should be verified.
  5. The use of mobile storage devices is prohibited without prior approval.

Core Business System Continuity Drills

Verify that core business systems can be recovered and resumed within an acceptable timeframe in the event of disasters, system failures, or cybersecurity incidents to reduce the risk of operational disruption. Confirm that existing business continuity, redundancy, and recovery mechanisms are executable and effective. Conduct drills to familiarize relevant personnel with notification, decision-making, execution, and coordination processes, thereby reducing human errors during actual incidents. Review drill outcomes to identify deficiencies and use the results as the basis for improving processes and technologies, strengthening overall system resilience.

Security Health Check

The purpose of an information security health check is to comprehensively assess the organization’s current cybersecurity posture, identify potential security weaknesses and risks, and provide actionable recommendations and control measures. Through a systematic checking and analysis process, vulnerabilities in systems, networks, applications, and processes are detected early to minimize the likelihood of exploitation, strengthen technical and administrative defenses, ensure the confidentiality, integrity, and availability of information assets, and support regulatory compliance and business continuity objectives.

Information Security and Training

The purpose of information security training is to establish employees' awareness of information security and to enhance the company's level of information security. Its content includes:

  1. Information security policies.
  2. Information security regulations and requirements.
  3. Information security operations.
  4. Information security technical training.

Accomplishments in 2025

A. Continuously maintain the inventory of information assets and risk identification.

B. Joined the [Taiwan CERT/CSIRT Alliance] and continuously exchanges cybersecurity intelligence to strengthen the information security defense system.

C. Completed the following security check items through the external cybersecurity professional company:

  1. 2025/09 - Completed vulnerability scanning and patching.
  2. 2025/09 - Completed penetration testing and vulnerability patching.
  3. 2025/05 - Completed social engineering drills.
  4. 2025/12 - Completed source code scanning and improvement plan for deficiencies.

D. Completed continuous operation drills for core business systems, including:

  1. 2025/12 - Main data center failure drill(power outage, fire, temperature and humidity control failure, etc.).
  2. 2025/12 - Network disconnection drill.
  3. 2025/12 - Core system server failure drill.
  4. 2025/12 - Core system database recovery drill.

E. Continuously carry out updates or upgrades of security equipment for both software and hardware.

F. The implementation of information security education for the year 2025 is as follows:

G. In 2025, there were no major information security incidents and no complaints regarding breach of customer data or loss of customer information.

The aforementioned 2025 information security planning and implementation details were reported to the Board of Directors by the Chief Information Security Officer on January 6, 2026.