The Company also implements the following management procedures:

2.1 Information Security Policy Establishment and Evaluation

(Information Security Policy, Information Security Objectives Management Procedure, Organizational Context Analysis Procedure)

2.2 Information Security Organization Management

(Information Security Organization Management Procedure)

2.3 Personnel Information Security Management and Training

(Human Resource Security Management Procedure)

2.4 Information Asset Classification and Control

(Information Asset Management Procedure)

2.5 Data Security Control

(Data Security Management Procedure)

2.6 Risk Identification and Control

(Information Security Risk Management Procedure)

2.7 Access Control and Password Management

(Access Control and Password Management Procedure)

2.8 Physical and Environmental Security

(Physical and Environmental Security Management Procedure)

2.9 Operational Security Management

(Operational Security Management Procedure)

2.10 Network Security Management

(Network Security Management Procedure)

2.11 System Development and Maintenance Security

(System Development and Maintenance Management Procedure)

2.12 Supplier Service and Relationship Management

(Supplier Relationship Management Procedure)

2.13 Information Security Incident Response and Handling

(Information Security Threat Intelligence and Incident Management Procedure)

2.14 Business Continuity Management

(Business Continuity Management Procedure)

2.15 Regulatory Compliance and Policy Conformance

(Regulatory Compliance Management Procedure)

03 Responsibilities

To ensure the effective implementation of this Information Security Policy, the Company defines the following responsibilities:

3.1

The Company establishes an “Information Security Committee,” with a senior executive appointing an Information Security Officer responsible for overseeing information security policies, implementation plans, resource allocation, and management reviews.

3.2

Under the Information Security Committee, an “Information Security Working Group” shall be established. A management representative appointed by the Information Security Officer shall be responsible for:

• Establishing and revising information security-related documents and procedures
• Maintaining the operation of the Information Security Management System (ISMS)
• Regularly reporting implementation results and improvement recommendations to management

3.3

All departments shall comply with the relevant regulations and management requirements established by the Information Security Working Group.

3.4

All employees, external network users, and partner organizations shall comply with the Company’s Information Security Policy and related regulations.

3.5

Any behavior endangering information security shall be handled in accordance with applicable laws and Company regulations. Where necessary, civil, criminal, and related compensation liabilities may be pursued.

04 Definitions

4.1 Information Security

Ensuring the confidentiality, integrity, and availability of information and communications, including authenticity, accountability, non-repudiation, and reliability.

4.2 Confidentiality

Information shall not be accessed or disclosed to unauthorized individuals, entities, or systems.

4.3 Availability

Authorized users shall have access to and use information and systems when required.

4.4 Integrity

Ensuring the accuracy and completeness of information and preventing unauthorized modification.

4.5 Authenticity

Verifying the identity of users, devices, or systems.

4.6 Non-Repudiation

Ensuring that actions, operations, or transactions that have occurred cannot be denied.

4.7 Accountability

The ability to trace and identify responsibility for information-related activities.

4.8 Reliability

Ensuring the stability and consistency of systems and information processing results.

05 Operational Guidelines

5.1 Review

This policy shall be reviewed at least annually to comply with the latest legal requirements, customer expectations, and information technology developments, ensuring the appropriateness and effectiveness of the system.

5.2 Implementation

5.2.1

Management reviews of policies and implementation effectiveness shall be conducted in conjunction with regular Information Security Committee meetings.

5.2.2

Each year, in accordance with the “Information Security Objectives Management Procedure,” the Company shall evaluate the achievement of information security objectives through measurement and assessment mechanisms and implement continual improvement.

5.2.3

Each year, in accordance with the “Organizational Context Analysis Procedure,” the Company shall conduct internal and external environment analyses to identify key issues and stakeholder requirements affecting the Information Security Management System.

5.2.4

The “Statement of Applicability” shall be reviewed periodically to confirm the scope and appropriateness of implemented information security controls.

5.2.5

This policy shall become effective upon approval by the Information Security Committee and subsequent announcement. The same procedure shall apply to any revisions.