1. To ensure the security of corporate information and safeguard the rights and interests of the company and stakeholders, the company has established an Information Security Center, overseen by the General Manager. The Information Security Center is responsible for developing annual information security strategies and plans, coordinating the utilization of relevant resources, overseeing information security incident management, planning and conducting information security education, and collaborating with audit units to perform information security audits.
2. The Information Security Center aims to effectively implement information security management, ensuring the efficient operation of information and network systems while maintaining their confidentiality, integrity, and availability. Following the management cycle of Plan-Do-Check-Act (PDCA). It reviews the applicability of information security systems and protective measures, continually assesses effectiveness, and enhances the management framework for information and network system security.

To promote policies related to information security, implement incident reporting, and handle related responses, the company has established an Information Security Center with a Information Security Manager and Information Security Specialist. Their responsibilities include:

1. Coordinating the allocation of responsibilities for information security matters across departments.
2. Coordinating the research and discussion of information security technologies, methods, and procedures.
3. Implementing overall information security measures and plans.
4. Executing annual work plans based on information security objectives.
5. Communicating information security policies and objectives.
6. Researching, establishing, and evaluating matters related to information security technologies.
7. Enforcing relevant regulations, procedures, and systems related to information security.
8. Conducting inventory and risk assessments of information systems. Implementing security measures for data and information systems
9. Reporting information security incidents and executing response mechanisms.
10. The Information Security Officer reports the information security planning and implementation status to the Board of Directors annually.

Information Security Objectives

1. Confidentiality: Ensure that sensitive information is only accessible to authorized personnel.
2. Integrity: Prevent unauthorized modification or damage to data, ensuring its accuracy and reliability.
3. Availability: Ensure that systems and resources are available when needed and can withstand unexpected failures or attacks.
4. Legal and Regulatory Compliance: Comply with all applicable laws, regulations, and standards, including privacy protection laws.
5. Risk Management: Identify, assess, and mitigate information security risks, and take appropriate measures to address them.
6. Education and Training: Provide security awareness training and education to employees, users, and relevant stakeholders.
7. Emergency Response: Establish an effective emergency response plan to address security incidents and violations.
8. Continuous Improvement: Continuously review, update, and improve security policies, measures, and procedures.
9. Technical Protection: Deploy technical security measures such as firewalls, intrusion detection systems, etc., to protect systems and networks.
10. Physical Security: Protect hardware, equipment, and facilities to prevent unauthorized intrusion.

Identifying Information Assets and Risk Assessment

Conduct regular discussions on core business operations to confirm their content. Establish and review an inventory of core system information assets, identifying their value. Conduct an inventory of information system assets, classify them based on asset attributes, and label core information systems.

Access Control and Encryption Mechanism Management

The purpose of access control and encryption mechanism management is to implement security measures to protect sensitive information and critical systems. The enterprise takes the following actions to ensure the security of information assets.

Operations and Communication Security Management

1. Implement control measures against malware.
2. Hosts and personal computers need to have antivirus software installed, and both software and hardware should be maintained in time.
3. The file obtained from any form of storage media must be checked for the presence of malware or viruses.
4. Do not install software from unknown sources, with legal concerns, or unrelated to business without prior consent.
5. Set up a firewall to defend against external threat attacks.
6. Establish anti-virus software, network firewalls, and continue to apply them and perform necessary software and hardware updates or upgrades in a timely manner.
7. Back up log records of information security equipment and review the execution status regularly.
8. It is prohibited to privately install computers, network communication devices, or related equipment in the office.
9. It is prohibited to use company network communication devices or related equipment on personal devices.

Email Security Management

1. When using email, exercise caution and avoid opening emails from unknown sources.
2. Do not transmit confidential or sensitive data via email. If there is a business need, follow relevant guidelines for encryption or other protective measures.
3. Do not use the company's provided email services for activities that infringe upon the rights of others or engage in illegal activities.
4. Conduct email social engineering drills and review their implementation.
5. Implement an email filtering mechanism to reduce spam or malicious email infiltration.

Computer Room Management

1. Personnel and equipment entering and exiting the computer room should be authorized and recorded.
2. Security detection and protective measures are installed in the computer room to minimize risks arising from an unsafe environment.
3. The computer room is regularly monitored for temperature, humidity, and electrical safety.
4. All equipment undergoes regular inspections and maintenance.

Security Management for Computer Usage

1. Personal computers should be logged out or have the screen lock activated immediately when not in use.
2. Installation of unauthorized software is prohibited.
3. Personal computers should undergo regular updates for operating systems, application patches, and antivirus definitions.
4. Important data should be regularly backed up, and the integrity of backup data should be verified.
5. The use of mobile storage devices is prohibited without prior approval.
6. The company conducts a system continuity drill for core business systems once a year.
7. An information security assessment is conducted annually, and the implementation status is reviewed.

Information Security and Training

The purpose of information security training is to establish employees' awareness of information security and to enhance the company's level of information security. Its content includes:

1. Information security policies.
2. Information security regulations and requirements.
3. Information security operations.
4. Information security technical training.

A. Continuously maintain the inventory of information assets and risk identification.

B. Joined the [Taiwan CERT/CSIRT Alliance] and continuously exchanges cybersecurity intelligence to strengthen the information security defense system.

C. Completed the following security check items through the external cybersecurity professional company:

1. 2024/09 - Completed vulnerability scanning and patching.
2. 2024/09 - Completed penetration testing and vulnerability patching.
3. 2024/05 - Completed social engineering drills.
4. 2024/12 - Completed source code scanning and improvement plan for deficiencies.

D. Completed continuous operation drills for core business systems, including:

1. 2024/12 - Main data center failure drill(power outage, fire, temperature and humidity control failure, etc.).
2. 2024/12 - Network disconnection drill.
3. 2024/12 - Core system server failure drill.
4. 2024/12 - Core system database recovery drill.

E. Continuously carry out updates or upgrades of security equipment for both software and hardware.

F. The implementation of information security education for the year 2024 is as follows:

G. In 2024, there were no major information security incidents and no complaints regarding breach of customer data or loss of customer information.

The aforementioned 2024 information security planning and implementation details were reported to the Board of Directors by the Chief Information Security Officer on January 2, 2025.