Information Security Policy
To ensure the robust operation of the Company's information and communication systems, services, and network environments; to mitigate risks such as human error, intentional sabotage, or natural disasters; and to prevent unauthorized access, disclosure, alteration, or destruction, thereby ensuring the objectives of "Confidentiality," "Integrity," and "Availability" of information assets.
Core Principles:
- Compliance and Risk Management: Identify external laws and regulations, evaluate internal and external issues as well as stakeholders' expectations, and formulate countermeasures through regular assessments.
- Roles, Responsibilities, and Culture: Establish an Information Security Committee, implement segregation of duties, and cultivate a corporate culture where "information security is everyone's responsibility."
- Full Lifecycle Protection: Implement asset inventory and classification management, and strengthen the security maintenance of hardware, environments, and data throughout their entire lifecycle.
- Dynamic Access Control: Establish rigorous rules for network transmission and identity authentication to ensure that access to sensitive information strictly complies with the "Principle of Least Privilege."
- Supply Chain Security: Outsourced vendors shall comply with the Company's information security policies and be subject to security supervision and regular audits.
- Incident Response and Continuous Improvement: Establish emergency response plans and conduct regular drills. Ensure the resilience and effectiveness of the management system through audits and policy evaluations.
資訊安全政策
為確保本公司資通系統、服務及網路環境之穩健運作,降低人為疏失、蓄意破壞或天然災害等風險,防止未經授權之存取、洩漏、篡改或毀損,確保資訊資產之「機密性」、「完整性」及「可用性」之目標。
核心原則:
- 合規與風險管理: 識別外部法令法規,鑑別內外部議題與利害關係人期望,透過定期評鑑擬定因應措施。
- 權責與文化: 成立資安委員會,落實權責分立,建立「資安人人有責」之企業文化。
- 全生命週期防護: 落實資產清點與分級管理,強化硬體、環境及資料全生命週期之安全維護。
- 動態存取控制: 訂定嚴謹之網路傳輸與身份驗證規則,確保機敏資訊存取符合「最小權限原則」。
- 供應鏈安全: 委外廠商應遵守本公司資訊安全政策,並接受資安監督與定期稽核。
- 應變與持續改善: 建立緊急應變計畫並定期演練,透過稽核與政策評估,確保管理體系之韌性與有效性。