Information Security Policy
Adhering to the core values of "Enhancing Information Security Management and Safeguarding Customer Rights", we have implemented the ISMS (Information Security Management System) and obtained verification. Following the management mechanism of the "Plan-Do-Check-Act (PDCA)" cycle, we adopt a gradual and continuous improvement approach to strengthen the security of data, information systems, equipment, and network communication. This effectively reduces the risks associated with theft, improper use, leakage, tampering, or destruction of information assets caused by human error, intentional actions, or natural disasters. We aim to protect the confidentiality, integrity, availability, and compliance of our business information.
Information Security Committee
The "Information Security Committee" of our company is responsible for executing information security management planning, establishment, and maintenance. We regularly conduct information security awareness campaigns, social engineering drills, business continuity plan exercises, penetration testing, and vulnerability scanning to implement the information security management policy. Additionally, we establish emergency response measures for unexpected information security incidents.
Information Security Management
-
Our company has obtained ISO/IEC 27001:2022 Information Security Management System certification on February 7, 2025. The certificate is valid until February 6, 2028.
-
As part of our ISMS (Information Security Management System), we regularly conduct information security awareness programs for our employees and carry out two unannounced social engineering drills each year to enhance the overall security awareness of our staff.
-
We perform regular risk assessments to identify high-risk areas and implement necessary improvements to reduce operational risks within the company.
-
We have established regular data backup procedures and developed business continuity plans to ensure the effectiveness of our backup processes.
-
We have implemented firewalls, antivirus software, and email filters, and regularly update them to effectively detect and block external threats.
-
Endpoint control systems have been implemented to monitor and control peripheral storage devices, employee internet usage, and file permissions, mitigating the risk of intellectual property leakage.
-
We conduct annual vulnerability scanning, penetration testing, and security assessments to ensure the security of our information systems and network communication.
-
Internal and external audits are conducted annually, and improvement measures are implemented based on the audit results to continuously enhance the effectiveness of our information security management system.
Information Security Management Measures
Specific management measures include
| User Account / Permission Management |
User Password and Permission Management
- User account permission management and review.
- Passwords must meet complexity requirements and be changed regularly.
- Control of computer software installation permissions.
|
| User Behavior Monitoring |
Data Transmission Control
- Disable Personal External Storage Devices.
- Internal/External Network Access Control.
- Web Filtering.
|
| Email Security Management |
Email Protection
- Email Review Mechanism.
- Virus, Malware, Phishing Email Detection.
- Advertisement/Spam Email Filtering.
|
| External Threats |
Intrusion Prevention
- Real-time updating of antivirus software virus definitions to reduce the risk of infection.
- Regular execution of vulnerability scanning, penetration testing, and security assessments to verify the effectiveness of security measures.
- Firewall intrusion detection to block external network attacks.
|
| Data Center Security Management |
Personnel access control
- Registration is required for entering and exiting the data center, and access is only allowed when accompanied by IT personnel.
- The data center is equipped with surveillance systems and access control measures to prevent unauthorized access.
|
| High Availability |
Non-stop system operation
- The server system is managed using VMware virtualization, which includes high availability (HA) features. In the event of a system failure, it can be restored and operational again in the shortest possible time.
|
| Backup Management |
Operrations Security
- Implementing the 3-2-1 backup principle: creating at least three copies of backups, storing them on two different storage media, and keeping one copy off-site.
- Conducting regular disaster recovery drills each year to ensure the effectiveness of the backups.
|