Information security management
Information Security Risk Management
In order to strengthen information security management and ensure the confidentiality, integrity and availability of information assets, Canghe has formulated "Information Security Policy" and "Information Security Management Operation Methods" as the information security management organization division of labor, personnel education and training, computer hardware and software , network and physical environment to provide a continuous operation environment for warehouses and businesses, and comply with relevant laws and regulations. In 2024, due to the introduction of the Taiwan Intellectual Property Management System (TIPS) and the revision of the "Information Security Management Operation Methods", its related security policies The scope of application includes warehouses and all colleagues, contract personnel and cooperating manufacturers. Regarding the management of customer information, if there is no separate contract, it shall be handled in accordance with the "Document and Information Management Procedure" and the "Trade Secret Management Regulations". Canghe attaches great importance to the management of information software, information permissions, information classification, etc., implements the maintenance of user equipment, computer room equipment and network equipment, schedules information backup every day, and conducts information system disaster recovery drills and 4 backup data recovery test verifications in 2024 , the results are all normal. The company also implements personnel information security education and training, focusing on the management and protection of corporate governance systems, systems, and personnel, and guarding the security of the company's internal information system environment, maintaining its safe operation, and preventing hackers from intentional intrusion, human negligence, or illegal use. We combine various management measures such as risk management system and internal audit process to achieve comprehensive protection of information security. Through the effective implementation of comprehensive policies and systems, there was no leakage of customer privacy or other information in Canghe in 2024.
Responsibilities
- Information Department: It is the responsible unit for information security. It has an information director and professional information personnel who are responsible for formulating, promoting and implementing information security policies.
- Audit Office: It is the information security risk audit unit responsible for supervising and auditing the implementation of internal information security. If any deficiencies are found during the audit, the audited unit will be required to propose relevant improvement plans and specific actions, and regularly track the improvement results to reduce internal information security risks.
Management System
In order to ensure the effective implementation of the information management system, the information security policy includes the following three aspects:
. System norms: Establish information security management norms and operating methods to regulate personnel information security behavior, regularly review relevant systems every year to see if they comply with laws and regulations and changes in the operating environment, and make timely adjustments based on needs.
. System protection: In order to prevent various information security threats, in addition to adopting a multi-layer network architecture design, various information security protection systems are also built to enhance the security of the overall information environment.
. Personnel training: Implement information security education and training courses for new employees, and conduct information security awareness campaigns for employees from time to time to enhance their knowledge and awareness of information security.
| Types of management measures | Risk Management Operations |
|---|---|
| Computer equipment management | • All application servers and other equipment are located in a dedicated computer room with access control and access records kept for inspection • The computer room is equipped with independent air conditioning to maintain the equipment running in an appropriate environment, and is equipped with fire extinguishing equipment and environmental monitoring system to monitor the safety of the computer room environment at any time • The computer room is equipped with uninterruptible power supply equipment to avoid damage to the equipment in the computer room due to external power abnormalities |
| Network Security Management | • Build a firewall system to reduce the risk of external network damage • Internet behavior control to block access to inappropriate web pages and ensure the safety of people online |
| Virus protection and management | • Enterprise-level anti-virus software is installed on both servers and client devices to centrally control virus code updates and set up an instant notification mechanism to ensure that abnormal reports are handled immediately • Build security control software on client devices to control the user's peripheral device applications and file usage records to prevent improper use of peripheral devices and data movement by the user • Build an email filtering and archiving system to prevent spam or emails containing harmful content from flowing into client computers and causing damage to the company's information environment |
| System access control | • Employees must submit information permission applications in accordance with the information security policy when using information services. After approval, the information department will set permissions before they can use the information services. • When employees resign or have their positions adjusted, they must consult with the information department to ensure that the employee's information service rights are properly handled |
| System continuous operation | • Build a backup management system and set up an off-site backup mechanism to ensure that the company's important systems and data can be fully preserved and backed up • Implement disaster recovery drills and perform backup data restoration drills to ensure the validity of backup data and the feasibility of actual disaster recovery operations |
| Information security education and advocacy | • Regularly conduct information security education and training courses for new employees to help them understand the company's information security regulations and policies and reduce the risk of employees violating information security regulations • Promote information security awareness from time to time to strengthen employees' awareness of information security protection |
Information Security Incident Reporting Procedure