Hardware need to be stabilized, Software need to be applied;
Authorized to use, Record to access;
Backup must be performed, Replication must be feasible;
Intrusions can be prevented, Abnormalities should be reported.
To ensure the continuous operation of our information environment and comply with government regulations, we've established an Information Security Management System (ISMS). This system mitigates risks from unforeseen natural disasters or human error that could lead to system interruptions. We successfully implemented ISO 27001 in 2022 and regularly maintain our certification. Our current certificate is valid from February 23, 2025, to March 15, 2026.
To effectively manage information security, we've formed an Information Security Committee. This committee is responsible for setting our information security goals, strategies, and management procedures, ensuring the effectiveness of our ISMS. On December 20, 2024, the Board of Directors reviewed our information security risk management policy and other related matters.
We've established this policy to ensure the confidentiality, integrity, availability, and legality of our information assets. It also helps us comply with relevant regulations, protecting these assets from both internal and external, intentional or accidental threats.
Company's information security controls are designed to protect the confidentiality, integrity, and availability of crucial customer data and our internal personnel information. We continuously strengthen our information security management to ensure the security of our data, systems, equipment, and network. By fostering a reliable information environment, deploying innovative security technologies, and implementing robust information security management practices, we strive to enhance our service quality and provide excellent service. We are committed to continuous improvement and innovation as we advance towards e-service.
Our company is dedicated to achieving four core objectives:
- Securing our business services: We ensure that information is only accessible with proper authorization, safeguarding customer rights and maintaining the confidentiality of customer data.
- Protecting business integrity: We prevent unauthorized modifications to guarantee the accuracy and completeness of our operations.
- Ensuring business continuity: We establish robust information operation continuity plans to maintain uninterrupted service.
- Adhering to regulations: We ensure all business services comply with relevant government laws and regulations.
To achieve our information security management objectives, our company has established the following information security management indicators:
Quantitative Indicators
We ensure the availability of our information services through these requirements:
- Zero Major Incidents Annually: No Level 4 information security incidents throughout the year. (Refer to the "Information Security Incident Reporting and Management Procedure" for details.)
- Data Center Operations Availability: Data center infrastructure services (e.g., UPS systems, air conditioning) must achieve over 99% availability during annual working hours. (Calculation: 365 days * 24 hours = 8760 hours; 1% = 87.6 hours; 8672.4 / 8760 = 99%)
- Critical Business System Availability: Key business system services must achieve over 98% availability during annual working hours.
Qualitative Indicators
- Regular Policy Review: Information security policies are regularly reviewed to ensure the effective implementation of our information security management system.
- Organizational Review: The responsibilities of information security personnel are regularly reviewed to ensure the effective promotion of information security initiatives.
- Mandatory Training: Appropriate information security training is provided to employees based on their roles and responsibilities, in compliance with regulatory requirements.
- Enhanced Internal Controls: We strengthen internal controls to prevent unauthorized and improper access, ensuring information assets are adequately protected.
- Environmental Security: Appropriate protective measures and access control mechanisms are implemented to safeguard the security of information processing facilities.
- Incident Reporting & Handling: All information security incidents or suspicious security vulnerabilities must be reported through appropriate upward escalation mechanisms, followed by proper investigation and resolution.