logo-starbit

Information Security Policy

1. The information security target of the Company is to ensure the confidentiality, integrity, and availability of material and core systems and define and measure the quantitative indicators of information safety performance based on levels and functions to ensure the implementation of the information security system can achieve the information security target.

2. To achieve the mission and target of the Company, as well as the expectation and requirements of the management for information security, and ensure the security of the Company's information assets, the information security policy is established as follows:

2.1. Principle

2.1.1. The asset risk evaluation shall be performed with consideration to relevant laws and regulations and operational requirements to ensure the security requirements for information operations, establish standard operating procedures, and adopt appropriate information security control measures to ensure asset security.

2.1.2. For the benefit of implementing the information security work, an information security organization shall be established, and the division of labor and authority and responsibility shall be set.

2.1.3. Adopt the roles and functions of personnel as the basis to establish the assessment or evaluation system and organize information security education and training and promotion activities based on the requirements.

2.1.4. The granting of access to assets shall be based on business requirements with the minimum authority, authority and responsibility segregation, and review taken into consideration.

2.1.5. Establish the Procedures for Information Security Incident Management to ensure the due response to, control, and handling of incidents.

2.1.6. Establish the business continuity plan and carry out regular drills to ensure the continual operations of information services.

2.1.7. Duly process and protect information assets, personal data, and intellectual property rights according to the "Enforcement Rules of Cyber Security Management Act," "Personal Data Protection Act," and other laws and regulations related to intellectual property rights.

2.1.8. Regularly implement information security audits to examine the level of implementation of the information security management system.

2.1.9. If employees violate the policy and information security-related specifications, arrangements shall be made according to the awarding and punishment standards or relevant regulations. If other personnel violate information security requirements, civil and criminal responsibilities shall be sought according to relevant laws.

2.2. Target

2.2.1. Jointly protect assets related to information service maintenance management to prevent intentional, inappropriate, or illegal use by personnel and stop the invasion and act of destruction of hackers and viruses.

2.2.2. Establish information security management procedures and relevant standard operating procedures, enhance employees' awareness of information security, and avoid human operational negligence and accidents to maintain the continual operation of information services in compliance with confidentiality, completeness, availability, and legitimacy.

2.2.3. Formulate information security targets based on the business strategies to allow business strategies to be based on the target of information security.

3. To ensure the effective operation of the information security management system, the Company has established its information security organization to coordinate the planning and promotion of the information security management system.

4. Human resource security control: To minimize the effects of human factors on the Company's information security, the Company implements appropriate information security education, training, and promotion to improve personnel's awareness of information security.

5. Asset management: To protect the security of the Company's information security, the Company has established its list of information assets according to the specifications and established the information asset classification, grading, and control measures and operating principles.

6. Access control:

6.1. To ensure the access of information processing equipment, the user password, registration, alteration, deletion, and regular review system is established, and the clear table and screen measures are also established.

6.2. To protect network safety, we have established a network service system to separate our intranet and the methods to contact external parties and control remote work and the use of mobile devices.

7. Password control: Establish appropriate and effective password usage policies to protect the confidentiality, identification and integrity of information.

8. Physical and environmental security control: To ensure the security of machine rooms, offices, and relevant equipment, the Company set computer machine room access, equipment inspection and management principles and established the use, management, and retirement principles for general information equipment in offices.

9. Operation and communication security

9.1. To ensure the correct and secure operation of information equipment, we established specifications for the correct use of information, prevented the leakage of confidential information, and established the system to prevent malware and mobile code.

9.2. To ensure the completeness and availability of information assets, we established information processing equipment backup operations and adopted external information processing facility service control principles.

9.3. To protect network security, we established the network security control system and the monitoring system using status track protection principles.

10. System access, development, and maintenance: To ensure the development management, testing, acceptance, launch, maintenance, and outsourced management of application systems, the Company has established standard control procedures.

11. Supplier relationship: Establish supplier relationship and management to ensure suppliers' access, processing, and management of the Company's information and the security of information processing facilities.

12. Information security incident management: To minimize the damages caused by information security incidents, the Company has established its Procedures for Information Security Reporting and Processing with records made.

13. Business continuity management: To ensure the business continuity operation of the Company, the Company has established information security control principles for business continuity management, established the business continuity operation management procedures and structures, and formulated and implemented the business continuity operation plan.

14. Legitimacy: To ensure that the implementation of the information security management system complies with relevant laws and regulations, safety policies, and the latest technology trends, the Company has established its legitimacy confirmation principles.

15. For employees who violate information security-related requirements, their information security responsibilities shall be subject to disciplinary procedures.

16. The information security management review representative of the Company reviews the policy at least once every year to comply with relevant laws and regulations, technologies, businesses, and the latest development in order to ensure the effectiveness of information security practices.

17. Unaddressed matters in the policy shall be subject to relevant laws, regulations and relevant requirements of the Company.

18. This policy shall be implemented after approval by the company's information security management review representative; the same applies to amendments.