Information Safety Management
Purposes and Scopes of the Information Safety Management
The information safety management is to secure the safety and stability of the internet and avoid errors in systems anddamages in digital files, which lead to the suspension of the company operations. The Company has formed the policies and protocols of information safety, which regulate the usage of information systems, internet, PCs, and emails to ensure the safety of the Company.
The Framework of the Information Safety Risk
The Company has established information safety sector in January 2022 and appointed a chief information officer in August, who supervises the information safety manners in the Company and holds cross department meeting periodically to review the performance and coordinate the resources.
The Policies of the Information Safety
- Follow the regulation and popularize the awareness of information safety.
- Value risk management and ensure information safety.
- Require full implementation and pursueongoing improvement.
Management Plan
| Category | Management Plan Description |
|---|---|
| Network Security | Adopt a multi-layered defense-in-depth architecture; establish firewalls and Intrusion Prevention Systems (IPS). |
| Implement malicious URL filtering and Advanced Persistent Threat (APT) protection. | |
| Device Security | Install antivirus software on computers and control USB device access to enhance endpoint protection. |
| Update virus definitions and security patches in real time; schedule regular virus scans. | |
| Utilize a security monitoring platform (GrayLog) and antivirus alerts to analyze system logs, provide real-time anomaly alerts, and implement emergency response to prevent escalation of threats and risks. | |
| Application Security | Conduct source code vulnerability scanning. |
| Data Security Protection | Audit employee internet usage, email, and USB access to prevent improper leakage of sensitive data and avoid malware intrusion into internal systems. |
| Establish secure access policies, enforce periodic password changes, and enable password complexity settings to strengthen user authentication. | |
| Implement centralized management of privileged accounts, and record login and operation activities on critical hosts and servers. | |
| Education Training | Conduct annual cybersecurity awareness training and assessments for employees to enhance risk awareness. |
| Conduct annual social engineering drills via email to raise employee vigilance. | |
| Physical Environment Security | Install access control and CCTV systems for data centers and other IT infrastructure; conduct regular drills for backup systems, uninterruptible power supplies (UPS), and fire safety equipment to strengthen physical security. |
| Cybersecurity Testing | Conduct annual red team exercises. |
| Compliance | Review cybersecurity policies, objectives, and regulations annually; monitor cybersecurity issues and trends, and develop response plans to ensure appropriateness and effectiveness. |
The Information Safety Operation Status
At least once a year report the information risk management operation status to the board and discuss to modify related regulations. The latest date of reporting to the board was May 3rd 2025. . The company has introduced an information security management system based on ISO27001 starting in 2024 and obtained third-party certification (ISO/IEC 27001:2022 international information security certification) on May 3rd 2025.