The IT department is responsible for the overall planning of the information security and relevant matters, establishment of relevant internal control procedures for management and periodically perform internal information security inspection.

(I) Personnel Information Security Awareness and Training

To reduce the impacts of internal human factors on the information security, the IT department shall implement information security educational training and promotion frequently in order to increase the knowledge and awareness of personnel on information security.

(II) Information System Security Management

1. The computer host machines and server equipment shall be installed at specialized machine rooms, and the IT department shall be responsible for the management thereof. Unauthorized personnel shall not enter such machine rooms, and when no one is inside a machine room, the machine room should remain locked.
   
   
2. Personal computers and various peripheral equipment etc. shall be allocated appropriately according to the nature of business and the factors of the field space etc., and uninterrupted power supply (UPS) system shall be connected in order to ensure stable power supply and to prevent the damage of equipment affecting the operation of the Company.
   
   
3. The maintenance and operation status of the main equipment shall be recorded. In case of equipment failure, troubleshooting shall be made internally or the maintenance vendor shall be contacted to perform emergency handling.
   
   
4. The machine room temperature shall be maintained within an acceptable temperature control range of each equipment. In addition, in case of occurrence of errors, the monitoring equipment shall inform relevant personnel of the IT department to perform troubleshooting in order to prevent the damage of equipment affecting the operation of the Company.
    
5. Establishment of new information system shall only be in service after the singing approval of the supervisor according to the application procedure in order to ensure that the system is able to operate accurately and stably.
   
   
6. Each department shall use licensed legitimate software and shall comply with relevant laws and contract requirements. Any software without legitimate license and irrelevant to the job duties shall not be installed for use. Any violators shall bear relevant legal liabilities and shall also bear relevant indemnification liability in case of any damages of each unit’s equipment. 
   
   
7. Data backup and recovery operation shall be performed periodically in order to promptly resume to normal operation in case of occurrence of disasters. Backup media shall be remotely stored at a secured environment in order to ensure the integrity and usability of data.
   
   
8. When the information service is outsourced externally, it is necessary to carefully assess the possible potential security risks in advance, and shall sign appropriate information security agreement with the outsourced vendor in order to impose relevant security management obligations and to include such obligations in the contract terms.
   
   

(III) Network Security Management

1. Access points connected to the external network shall be installed with firewall and other security facilities in order to control the data transmission and access of the external and internal networks.
   
   
2. Enterprise version of anti-virus software shall be installed and anti-hacking software for detecting intrusion shall be constructed to protect the information system of the Company from any virus infection and intrusion of malware or hackers. Information equipment shall be downloaded and updated with the latest virus codes, operating system update patches at all time.
   
   
3. In case of discovery of any intrusion or suspicious intrusion, the IT department shall be informed to perform relevant handling. When it is considered necessary, legal action shall be adopted.
   
   

(IV) System Access Control

1. During the new employee recruitment, employee job transfer and resignation (suspension) of users, written notices shall be submitted to the  IT department to perform the addition, adjustment or deletion of the use authority for users in order to ensure the security of the system.
   
   
2. Information system shall be set with access passwords, and the user access passwords shall comply with the security principle, and access password shall be requested to be changed periodically.
   
   
3. IT department shall periodically inspect the security status of each system in order to ensure the security of information process related operations.
   
   

(V) Security Management of Information System Development and Maintenance 

1. The system development/construction, maintenance, update, in-service execution and version change operation shall be under security control, and shall be commissioned to be handle by legitimate and qualified vendor, in order to prevent any improper software, backdoor and computer virus etc. from jeopardizing the security of the system.
   
   
2. The construction and maintenance of Important information system performed by outsourced vendor shall only be handled under the supervision and participation of the personnel of the IT department of the Company.
   
   
3. For change of program and system authorization, it is necessary to fill out application form, and the approval of the supervisor shall be obtained before the IT department personnel and supervisor arrange the operation period. In addition, program and system testing shall be confirmed to be correct without errors before permission for in-service use.
   
   

(VI) Planning and Management of Business Sustainable Operation Plan

1. In case of occurrence of information security event such that the information system cannot operate or the execution efficiency is affected, it shall be reported to the unit supervisor and IT department personnel immediately in order to perform relevant handling.
   
   
2. After the reporting is made, the information system or equipment affected shall be stopped for use immediately and the current condition shall be preserved. Once the IT department personnel receive the report, relevant messages shall be recorded in order to perform relevant handling procedure.
   
   
3. IT department shall periodically assess the possibility of loss caused by information security risk. When it is assessed to be necessary, appropriate insurance shall be applied in order to reduce the loss amount.