Ⅰ. Purpose
- To ensure the security of the company’s internal network equipment and network communications, effectively reducing risks such as theft, improper use, leakage, tampering, or destruction of information assets caused by human error, intentional acts, or natural disasters.
- To ensure the confidentiality, integrity, and availability of business information.
A. Confidentiality: To ensure that confidential information assets receive necessary protection against unauthorized disclosure.
B. Integrity: To ensure that information assets used are accurate and have not been tampered with.
C. Availability: To ensure that only authorized personnel can obtain required information assets.
Ⅱ. Scope
- This policy applies to all areas covered by the company’s Information Security Management System (ISMS).
- The company’s information security management is based on the ISO 27001:2022 standard to implement necessary security control measures, avoiding risks and hazards to the company caused by factors such as human error, intentional acts, or natural disasters leading to improper data use, leakage, tampering, or destruction.
Ⅲ. Information Security Policy Framework
- All information security management regulations of the company must comply with relevant government laws and regulations.
- Establish an information security management organization responsible for the establishment and promotion of the information security system.
- Conduct regular information and communication security education and training to promote information security policies and relevant implementation regulations.
- Establish management mechanisms for host and network usage to centrally allocate and utilize resources.
- Before installing new equipment, include security factors in the considerations to prevent potential hazards.
- Clearly define usage permissions for network systems to prevent unauthorized access.
- Formulate internal audit plans to regularly review the execution effectiveness of the company’s information security management system.
- Regularly report sustained improvement items of information security to management and conduct regular tracking.
Ⅳ. Information Security Declaration
- Establish a suitable information security system.
- Strengthen the physical network environment.
- Implement various control measures.
- Continuously optimize information security awareness.
Ⅴ. Evaluation and Review of Information Security Policy
This policy should be evaluated and reviewed at least once a year to reflect the latest developments in government policies, laws, current technologies, and company business, ensuring the appropriateness and effectiveness of the company’s information security management system.