I. Purpose:
To safeguard the confidentiality, integrity, and availability of SynPower Co., Ltd.’s (hereinafter “the Company”) information assets, prevent internal and external threats, and ensure the stability of business operations, the policy is established in accordance with the "Guidelines on Information Security Control for TWSE/TPEx Listed Companies" for compliance.
II. Scope:
The policy applies to all employees, contractors, partners, and any third party accessing the Company’s information assets. It covers all information systems, networks, data, and related assets owned or managed by the Company.
III. Objectives:
1. Protect Information Assets: Ensure confidentiality, integrity, and availability of information; prevent unauthorized access or modification; maintain data availability.
2. Regulatory Compliance: Comply with applicable laws and standards; continuously update policies to ensure legal compliance and risk mitigation.
3. Raise Security Awareness: Conduct regular training to strengthen employee awareness and ensure proper execution of responsibilities.
4. Business Continuity: Implement security controls and contingency plans to ensure continuous operation during incidents.
5. Customer Satisfaction: Meet information security expectations and provide reliable services to enhance customer trust.
2. Regulatory Compliance: Comply with applicable laws and standards; continuously update policies to ensure legal compliance and risk mitigation.
3. Raise Security Awareness: Conduct regular training to strengthen employee awareness and ensure proper execution of responsibilities.
4. Business Continuity: Implement security controls and contingency plans to ensure continuous operation during incidents.
5. Customer Satisfaction: Meet information security expectations and provide reliable services to enhance customer trust.
IV. Information Security Management Framework:
The Company has established an Information Security Management Force, chaired by the Chief Information Security Officer (CISO), responsible for promoting, coordinating, and overseeing information security across all departments. The Force reports to the Board of Directors at least once per year.
1. Information Security Organization
.PNG)
2. Roles and Responsibilities of the Information Security Organization
1. Information Security Organization
2. Roles and Responsibilities of the Information Security Organization
| Title | Responsibilities |
| Convener | Held by the Company’s Chief Information Security Officer (CISO), responsible for coordinating departments in the formulation and implementation of information security policies and objectives, as well as overseeing related management tasks. The chairperson presides over meetings, promotes and communicates cybersecurity topics, and reports the implementation status to senior management or the Board of Directors. |
| Dedicated Information Security Officer | Appointed by the Chairperson, this person is responsible for overseeing internal information security management. The officer monitors and reports on the Company’s cybersecurity status, responds to external security control requirements, and handles related incidents. |
| Information Security Audit Unit | Appointed by the Audit Office, this unit is responsible for auditing the Information Security Committee and conducting internal and external information security audits to ensure compliance with relevant standards. |
| Information Security Implementation Units | Led by department heads of relevant units, these units are responsible for supporting and executing the Company's internal information security tasks in accordance with the directives of the Information Security Committee, ensuring alignment with security goals and decisions. |
| Information Security Document Control Unit | Managed by the document control department, this unit oversees the storage and version control of information security-related documents and ensures that the latest versions are provided to relevant departments. |
| Information Security Management Unit | Managed by the department in charge of information security, responsible for the daily operation, documentation, response, and maintenance of information security, ensuring continuity of security management efforts. |
V. Specific Management and Protection Measures
1. Information System Security and Management
1.1 Establish access control mechanisms to protect systems and networks, prevent unauthorized access, assign personnel to manage information assets, perform regular vulnerability scans and patch identified issues, and conduct periodic penetration testing.
1.2 Assign user accounts and permissions based on job responsibilities; implement password complexity requirements, regular password updates, account deactivation, and file encryption.
1.2 Assign user accounts and permissions based on job responsibilities; implement password complexity requirements, regular password updates, account deactivation, and file encryption.
2. Malware and Computer Security: Prohibit unauthorized software; install and regularly update antivirus software to ensure system stability and prevent threats.
3. Network and Email Security: Monitor network devices daily; restrict network access to authorized users; implement firewalls, email account management, spam filtering, and encrypted connections to reduce risk.
4. Data Backup and Disaster Recovery: Establish backup and offsite recovery plans; conduct periodic drills to ensure swift response in emergencies and protect data.
5. Server Room Security and Environmental Maintenance.
6. Enforce strict access control; limit entry to authorized personnel only; record all system administration activities.
7. Security Policy Awareness and Training:
3. Network and Email Security: Monitor network devices daily; restrict network access to authorized users; implement firewalls, email account management, spam filtering, and encrypted connections to reduce risk.
4. Data Backup and Disaster Recovery: Establish backup and offsite recovery plans; conduct periodic drills to ensure swift response in emergencies and protect data.
5. Server Room Security and Environmental Maintenance.
6. Enforce strict access control; limit entry to authorized personnel only; record all system administration activities.
7. Security Policy Awareness and Training:
7.1 Regularly promote information security policies and conduct annual social engineering drills to enhance employee awareness.
7.2 Information security personnel and supervisors should undergo professional or competency-based training annually.
7.2 Information security personnel and supervisors should undergo professional or competency-based training annually.
VI. Information Security Intelligence Sharing
1. Participate in cybersecurity intelligence sharing platforms and engage in regular exchanges with industry peers to obtain the latest threat intelligence and strengthen defenses.
2. Continuously monitor emerging cybersecurity threats and technologies, and update defensive and management measures accordingly to reduce operational risks.
2. Continuously monitor emerging cybersecurity threats and technologies, and update defensive and management measures accordingly to reduce operational risks.
VII. Conduct regular information security audits; identify abnormal findings, develop remediation plans, and follow up on improvement progress.
VIII. System Inventory and Risk Assessment
VIII. System Inventory and Risk Assessment
1. Regularly inventory information systems and compile a register of critical information assets to assess their value.
2. Conduct regular security risk assessments; analyze the impact of potential confidentiality, integrity, and availability breaches; and implement corresponding technical and management controls.
2. Conduct regular security risk assessments; analyze the impact of potential confidentiality, integrity, and availability breaches; and implement corresponding technical and management controls.
IX. Information Security Incident Response and Reporting
1. When an information security incident is discovered or suspected, the discovering personnel should promptly report to the relevant information security management unit based on the incident's circumstances, and inform their direct supervisor.
2. For information security incident recording, classification, reporting, and response handling, the responsible unit should record relevant information and proceed with incident assessment and subsequent response handling in accordance with the "Information Security
Incident Response and Reporting Procedures."
3. If a major information security incident notification is triggered, a major announcement will be made in accordance with relevant regulations.
4. After an incident occurs, subsequent incident tracking, investigation, and review and improvement meetings will be conducted in accordance with the "Information Security Incident Response and Reporting Procedures."
2. For information security incident recording, classification, reporting, and response handling, the responsible unit should record relevant information and proceed with incident assessment and subsequent response handling in accordance with the "Information Security
Incident Response and Reporting Procedures."
3. If a major information security incident notification is triggered, a major announcement will be made in accordance with relevant regulations.
4. After an incident occurs, subsequent incident tracking, investigation, and review and improvement meetings will be conducted in accordance with the "Information Security Incident Response and Reporting Procedures."
X. The policy shall be implemented upon approval by the Board of Directors. Any amendments shall follow the same approval process.
2024 Information Security Resource Investment
To comprehensively enhance the Company's early warning and response capabilities for major cybersecurity incidents, and to strengthen the overall resilience of its information and communication infrastructure, the Company has officially joined the cybersecurity alliance (CERT/CSIRT Alliance) promoted by TWCERT/CC (Taiwan Computer Emergency Response Team/Coordination Center). Through this membership, the Company continues to receive the latest domestic and international threat intelligence and response resources, and actively participates in collaborative defense efforts to reinforce its cybersecurity defense capabilities.
In 2024, the Company invested a total of NT$1.52 million in various cybersecurity protection resources. The scope of investment includes the following areas:
The Company will continue to monitor cybersecurity trends, regularly review existing protection mechanisms, and progressively optimize its information security management practices to ensure the stable operation of critical systems and the security of data. These efforts aim to reduce potential operational risks and uphold the trust of customers and business partners.
2024 Information Security Resource Investment
To comprehensively enhance the Company's early warning and response capabilities for major cybersecurity incidents, and to strengthen the overall resilience of its information and communication infrastructure, the Company has officially joined the cybersecurity alliance (CERT/CSIRT Alliance) promoted by TWCERT/CC (Taiwan Computer Emergency Response Team/Coordination Center). Through this membership, the Company continues to receive the latest domestic and international threat intelligence and response resources, and actively participates in collaborative defense efforts to reinforce its cybersecurity defense capabilities.
In 2024, the Company invested a total of NT$1.52 million in various cybersecurity protection resources. The scope of investment includes the following areas:
| Item | Target or Description of Information Security Protection |
| Cybersecurity Protection Software | Implemented MDR (Managed Detection and Response) services to enable abnormal behavior analysis and real-time incident response. |
| Antivirus Software | Deployed enterprise-grade antivirus solutions to block malware, viruses, and ransomware threats. |
| Firewall and UTM Systems | Installed firewalls and UTM (Unified Threat Management) systems at headquarters and subsidiaries to enhance perimeter defense and filter abnormal traffic. |
| Email Management System | Implemented email auditing and filtering mechanisms to reduce the risk of phishing and social engineering attacks. |
| Backup System | Established off-site and cloud-based backup infrastructure to improve data backup integrity and enhance post-disaster business continuity. |
The Company will continue to monitor cybersecurity trends, regularly review existing protection mechanisms, and progressively optimize its information security management practices to ensure the stable operation of critical systems and the security of data. These efforts aim to reduce potential operational risks and uphold the trust of customers and business partners.