Information Security Risk Management

Information Security Risk Management Framework

The Company’s information security authority is the Information Technology Department, headed by a Chief Information Officer and staffed with professional IT personnel. The department is responsible for formulating internal information security policies, planning and implementing information security operations, promoting and enforcing information security practices, and reporting annually to senior management on the Company’s overall information security governance.
The Company’s Audit Office serves as the supervisory unit for information security oversight. It is headed by an Audit Supervisor and supported by full-time audit personnel. The office is responsible for supervising the implementation of internal information security. If any deficiencies are identified during audits, the audited unit is required to promptly propose relevant improvement plans and specific actions. The Audit Office also conducts regular follow-ups on improvement progress to reduce internal information security risks.
Organizational Operating Model — The Company adopts the PDCA (Plan–Do–Check–Act) cyclical management model to ensure the achievement of reliability objectives and continuous improvement in information security performance.

Information Security Policy and Specific Management Measures

To ensure the effective operation and implementation of the Company’s various information and communication management systems, strengthen information and communication security management, and safeguard the availability, integrity, and confidentiality of information assets, the Company strives to prevent intentional or accidental internal and external threats, ensure the secure and stable operation of information systems, equipment, and networks, and achieve the goal of sustainable business operations.

Description of Management Measures:

A. Computer Equipment Security Management

The Company’s computer hosts and application servers are all installed in a dedicated server room, and access to the room is controlled through a proximity card access system.
The server room is equipped with an independent air conditioning system to maintain an appropriate operating temperature for computer equipment, and chemical fire extinguishers suitable for general or electrical fires are provided.
The main servers in the server room are equipped with uninterruptible power supplies (UPS) and voltage stabilizers to prevent system failures caused by sudden power interruptions from Taipower, and to ensure that computer applications continue to operate during temporary power outages.

B. Network Security Management

Enterprise-level firewalls are deployed to prevent unauthorized intrusions, damage, or data theft, in order to avoid illegal use of the Company’s websites.
Network traffic is monitored and malicious network activities are blocked to strengthen cybersecurity and prevent improper use of bandwidth resources.
An information security incident monitoring, reporting, and response mechanism has been established to ensure that operations can be restored in the shortest possible time when incidents occur, thereby minimizing potential losses.

C. Virus Protection and Management

Endpoint protection software is installed on both servers and employees’ computers, with automatic virus definition updates to block the latest types of viruses. It can also detect and prevent the installation of potentially harmful executable files.
Vulnerability scanning is conducted on servers and employees’ computers to identify existing system vulnerabilities and promptly apply patches.
Email servers are equipped with antivirus and spam filtering mechanisms to prevent viruses or spam emails from entering users’ information devices.

D. System Access Control

Employees’ access to application systems is governed by the Company’s internal access authorization procedures. Upon approval by the responsible supervisor, the Information Department creates system accounts, and system administrators grant access rights according to the approved functions before access is allowed.
When employees complete resignation or leave procedures, the Information Department must be notified to perform account deletion for all relevant systems.

E. Ensuring Sustainable System Operations

System Backup: A backup management system is established with a daily backup mechanism. Two copies of backup media are maintained — one retained in the server room and the other stored off-site to ensure data redundancy and disaster resilience.
Disaster Recovery Drills: Each system undergoes an annual recovery drill. After selecting a restoration baseline date, data are restored from backup media to the main system server. The user department then provides written verification of the accuracy of the restored data to ensure the correctness and effectiveness of the backup media.

F. Information Security Awareness and Training

New Employee Training: All new employees are required to complete information and communication security awareness and protection training courses.
Password Management: Employees are required to change their system passwords every quarter to maintain account security.
Password Management: Employees are required to change their system passwords every quarter to maintain account security.
Cybersecurity Collaboration: The Company is a member of the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC), through which it gains access to information security incident consultation channels and cybersecurity intelligence, supporting internal awareness and preventive actions.

The information security management measures implemented by the Company are as follows:

Type	Description	Related Operations
Access Control Management	Management measures for user accounts, access rights, and system operation activities.	Account access control and review Regular audits of user access rights
Access Control	Control measures for personnel access to internal and external systems, and data transmission channels.	Internal and external access control measures
External Threats	Measures addressing internal vulnerabilities, infection channels, and protective actions.	Regular vulnerability scanning for servers and equipment. Periodic system and software updates. Antivirus protection and malware detection.
System Availability	Measures to maintain system availability and respond to service interruptions.	System and network availability monitoring and reporting mechanism. Response procedures for service interruptions. Information backup measures and on/off-site backup mechanisms. Regular disaster recovery drills.

Resources Invested in Information and Communication Security Management

To implement the six major information and communication security policies, the Company has allocated the following resources:

A. Network Hardware Equipment

Next-Generation Firewall: Equipped with web activity analysis capabilities.
Managed Network Switches.

B. Software Systems

Endpoint Detection and Response (EDR) System for Servers.
Endpoint Protection System for User Devices.
Backup Management Software.
Email Antivirus Software.
Spam Filtering System.
VPN Authentication Mechanism.
Vulnerability Scanning Software.

C. Information and Communication Security Services

CHT Cyber Security Fleet Service.
Intrusion Prevention Service (IPS).
Distributed Denial-of-Service (DDoS) Protection Service.
4. Social Engineering Awareness and Simulation Training.

D. Human Resource Investment

Daily inspection of system operating status.
Weekly execution of regular backups and off-site storage of backup media.
Annual or ad-hoc information security awareness and training programs.
Annual disaster recovery drills for information systems.
Annual internal and external (CPA) audits of information management processes.

2025 Implementation Results of Corporate Information Security Measures

1. Appointment of Information Security Personnel: Two dedicated information security personnel were assigned.
2. Authorized Expenditure and Equipment Investment: A total of NT$1.75 million was allocated for information security expenditures and equipment.
3. Information Security and Personal Data Management Committee: One committee meeting was convened.
4. Information Security Awareness Training: All new employees completed basic information security awareness training courses.
5. New or Revised Information Management Procedures and Forms: A total of 11 procedures and forms were newly established or revised.
6. Internal Information Security Audit: One internal audit was conducted.
7. External Information Security Audit: One external audit was conducted.
8. Information Protection Awareness Campaigns: Two internal awareness sessions were held to promote key information security rules and precautions.
9. Annual Information Security Training: One annual information security training session was organized.
10. Major Information Security Incidents, Impacts, and Countermeasures:In 2025, the Company did not experience any major information security incidents. Nevertheless, the Company remains committed to proactive prevention, continuously allocating adequate budgets to strengthen information technology security and reduce the risk of malicious software attacks.

Information Security Incident Reporting Procedure

The Company’s information security incident reporting procedure is as follows. All reporting and handling of information security incidents shall be conducted in accordance with this procedure.

Optoelectronics