1. Purpose

To enhance the security and stability of the company’s information operations, provide reliable information services, and ensure the confidentiality, integrity, and availability of information assets, this Information Security Policy (hereinafter referred to as “the Policy”) is established as the highest guiding principle for the company’s information security management.

2. Information Security Policy Vision:

➤ Strengthen security awareness and implement access control

➤ Enhance data protection and ensure business continuity

3. Based on the vision of the Information Security Policy, the following information security objectives are established:

● Promote information security education to build awareness and defense capabilities.

● Conduct regular access right reviews to strengthen secure access and protection mechanisms.

● Enhance data protection by implementing security audits and ensuring regulatory compliance.

● Execute and reinforce exercise plans to improve operational resilience and response capabilities.

4. Implementation

(1) Assess information operation security requirements, establish related procedures, develop strategies, management frameworks, and standards to ensure the confidentiality, integrity, and availability of information assets.

(2) Establish an information security organization with defined roles and responsibilities to facilitate the implementation of information security operations.

(3) Formulate the company’s information security incident classification and assessment criteria to guide required actions.

(4) Establish an information security incident reporting and response mechanism to ensure timely and effective response, control, and handling of incidents, thereby minimizing impact and losses.

(5) Conduct regular information security awareness training and promotion to enhance employees’ security awareness, reduce human error risks, and prevent information security incidents.

5. Communication

✔ The Information Security Policy (vision and objectives) shall be communicated internally through announcements or training sessions.

✔ The Information Security Policy (vision and objectives) shall be published on the company website for communication with external stakeholders.