Information Security – 東哥遊艇

Information Security Management

Risk management framework for information and communications security:

The Company’s information security team is subordinate to the information department, responsible for reviewing the Company’s information security policy, supervising the operation of information security management, confirming the effectiveness of the Company’s information security management operation, and establishing a good awareness of information security among colleagues. The internal audit team regularly conducts work audits, submit audit reports, and reports to the Audit Committee and the Board of Directors.

Information security policy:

Purpose:
The Company’s information security policy mainly focuses on information security governance and legal compliance. Raising information security protection capability on the whole to ensure customers’ information, and the Company’s intellectual property creation is not infringed. The risk associated with internal and external information security in the Company could be reduced. The Company’s information security team is responsible for expanding information security management, setting management goals, continuing to strengthen monitoring and control, and management of the mechanisms, including strengthening educational training, information security structure design, and assuring that all of the information processes meet the legal requirements of domestic and overseas information security laws.
Scope:
To prevent the misuse, leakage, tampering, or damage of data resulting from negligence, intentional misconduct, or natural disasters, which could pose various potential risks and threats to the Company, the scope of information security is covered by the following procedures:
1. Formulation and Evaluation of Cybersecurity Policy
2. Cybersecurity Organization
3. Cybersecurity Human Resources Security
4. Cybersecurity Asset Management
5. Physical and Environmental Security
6. Access Control Security
7. Communication and Operations Security
8. Operation Security Management
9. Outsourcing Management
10. Data Backup Management
11. Response and Treatment of Cybersecurity Incidents
12. Sustainable Business Operation Management
13. Information Security Policy Compliance Management
Management Measures:
The proposed information security plan is to promote information security policy year by year, to introduce information security system and process specification, and to continuously establish complete information security technical protection measures. The summary of information security management measures is as follows:

Item	Relevant procedures or control measures
Information security governance	Formulate comprehensive management systems, and regularly review and amend related operation procedures Strengthen information security education and training Manage compliance with information security policy
Information assets and system management	Take inventory of IT assets regularly and implement control measures Physical security and environment safety Information security and work safety Ensure the security of information system development and maintenance Data backup management
Permission management	Manage the employees’ accounts, passwords and accesses required for job functions, and update regularly Data access control
External threats	Installed anti-virus software on personal computers and regularly update the virus pattern files Unauthorized software is forbidden to use Information security incident and accident management

Objectives:
- Through the management and control of the aforementioned scope of information security, combined with preventive and recovery control measures and procedures, the Company aims to achieve its operational stability and continuity, to prevent disruptions in business activities, and to reduce the risks that could lead to operational disruptions to an acceptable level.
- The Company continuously conducts information security education and training to enhance employees’ information security awareness, and strengthen their understanding of related responsibilities, ensuring the confidentiality and integrity of information while safeguarding the privacy of employees, business operations, and customer data.
- The Company establishes an Information Security Business Continuity Plan and execute information security activities in compliance with relevant laws or regulations.

Implementation Status:

Information security is a vital issue to operate. The invested resources in coping with information security management are as follows:

The Company sets up a tight information security net defense for security prospects. In 2023, the Company invested in framing information security nets, including the firewall and antivirus software, and framed the EDR, NDR, and Flowmon three-party integrated network defense system to enhance cybersecurity protection and reduce the risk of loss from business disruptions.
To strengthen our cybersecurity defense capabilities, the Company signs maintenance contracts with the external professional anti-hacking vendors every year to enhance our network defense capabilities.
The vendors will regularly review threat intelligence, including TWCERT, and conduct risk assessments based on the intelligence content. They will collaborate with the information security personnel to update EDR, NDR, firewall, and antivirus software to patch vulnerabilities, aiming to achieve the goal of zero cybersecurity risks.
The company reported to the Audit Committee and the Board of Directors on the execution of the information system management system and the results of the information security inspection on February 29, 2024. After reviewing the implementation status of information security management across all departments, there were no incidents compromising information security during 2023.
In 2024, internal education and training sessions related to integrity-related regulations, trade secrets and intellectual property protection, human rights policy, workplace misconduct (prevention of workplace violence and sexual harassment), and information security, totaling 780 participants across 130 hours of online courses.