Information Security Governance

Sustainable Corporate Operation

Information Security Governance Vision and Commitment

In the midst of the digital wave, we recognize that information security is the cornerstone of sustainable business operations and our firmest commitment to all stakeholders. Our company not only adheres to regulatory requirements but also strives to protect the valuable information assets of our customers, employees, and partners with industry-leading standards. We view information security as an integral part of our organizational culture, ensuring business stability and innovation through continuous investment and improvement.

Information Security Management Framework and Policy

To strengthen the protection of our company's information assets (including data, software, and hardware) and ensure business continuity, Powertech Technology Inc. (hereinafter referred to as "the Company"), have established this Information Security Policy. This policy aims to protect company information from risks such as alteration, disclosure, destruction, or loss caused by external threats or improper internal management, thereby ensuring the confidentiality, integrity, and availability of our critical information assets.

The Company will approach information security from a corporate governance perspective, regularly conducting risk assessments in accordance with relevant laws and operational objectives. The board of directors and senior management will periodically review information security issues and current status to guide the formulation of security strategies and goals.

To achieve these objectives, the Company will follow the guidelines of ISO/IEC 27001:2022 to develop, maintain, and continuously improve its information security management system, which includes but is not limited to:

Implementing Management Mechanisms
Regularly conducting security incident drills and strengthening the security management responsibilities of internal personnel.
Enhancing All-Staff Security Awareness
Periodically holding employee security training and awareness campaigns to enhance security awareness across all staff.

Ensuring Legal Compliance
Ensuring that all information security measures comply with relevant laws and regulations.
Strengthening Document Management
Ensuring all information security activities are appropriately documented and recorded to guarantee effective operation.

This policy applies to all of the Company's information systems, business operations, and employees. By implementing robust security management, we aim to enhance customer trust, strengthen our competitive advantage, and ensure the sustainable operation of our critical business functions.

Information Security Committee Structure

To effectively implement information security, our company utilizes a three-line-of-defense security architecture. Under the Risk Management Committee, we have established an Information Security Committee. This committee is responsible for promoting, coordinating, and overseeing the company's overall information security management and operations. Subsequently, personnel from various departments and the IT team are tasked with executing day-to-day IT system operations, information management, and equipment maintenance.

Organizational Structure and Responsibilities

In February 2016, PTI established an Information Security Committee to promote and oversee the establishment and maintenance of its information security management system. In addition to obtaining ISO 27001 certification, the committee regularly reports on its progress to the Risk Management Committee. The Risk Management Committee then submits these reports to the board of directors, thereby raising the standard of information security throughout the company.

Information Security Committee Structure

Meeting Operations

The Information Security Committee holds meetings once a year. Ad-hoc meetings may be convened as needed. The agenda includes an analysis of security trends, security incident reports, progress updates on security protection measures, cross-departmental coordination, and other relevant discussions.

Security Protection Measures and Management Practices

We leverage the NIST Cybersecurity Framework (NIST-CSF) to assess our overall cybersecurity maturity, plan our security development roadmap, prioritize initiatives, allocate resources, and implement a continuous improvement plan.

PTI implements stringent information security protection measures across four key dimensions: securing sensitive information, strengthening network security, protecting endpoints, and enhancing personnel awareness. These measures collectively ensure the stability of our entire information environment.We formulate and publicly disclose our information security policy to ensure all employees are aware of it. By integrating security into the daily habits of every individual, we continuously invest in building and maturing our information security capabilities.

Information Security Management Achievements

Our company is dedicated to comprehensive security protection through multi-layered technical and management measures, ensuring the safety of both user devices and corporate data. In addition to installing antivirus software, Endpoint Detection and Response (EDR) systems, and regularly updating operating systems and applications to defend against malware and data breaches, we have also implemented the following measures:

Vulnerability Scanning and Penetration Testing
We regularly conduct these two tests to proactively identify potential system vulnerabilities and have successfully addressed all identified security risks.
Managed Detection and Response (MDR) and Extended Detection and Response (XDR)
In addition to EDR, we use MDR and XDR services. By leveraging the assistance of external professional teams and more extensive data correlation analysis, we have enhanced our ability to detect and respond to complex threats.
Network Segmentation
The company has implemented network segmentation measures to physically or logically separate network segments for different businesses and systems. This measure helps restrict unauthorized access and effectively prevents the spread of malware within the internal network, thereby reducing overall risk.
Storage Device Management
We have established strict management protocols for storage devices, including data encryption, regular backups, and access control. All storage devices, whether servers, workstations, or mobile devices, must comply with these protocols to ensure data confidentiality, integrity, and availability.
Network Behavior Management
The company utilizes various technologies to monitor and manage network behavior, including Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls. These tools can identify and block malicious traffic and improper behavior in real time, ensuring a secure and stable network environment.

Business Continuity Plan (BCP)
To ensure that core business operations can be maintained in the event of a major security incident, the company has established a comprehensive Business Continuity Plan (BCP). We consider this plan a core component of our security management and continuously strengthen it in the following ways:

Annual Security Drill
We hold a comprehensive annual security drill to simulate various cyberattack scenarios. This tests the response capabilities and collaborative efficiency of all departments, ensuring rapid recovery in emergencies.
Regular BCP Drills
In addition to the annual drill, we conduct routine BCP drills to continuously optimize our response processes and ensure all employees are familiar with emergency procedures, aiming for a swift recovery of business operations.
Cyber Insurance
To further mitigate risk, we have secured cyber insurance, which provides financial protection in the event of a major security incident.

Vulnerability Scanning and Penetration Testing

Regular scanning and testing to identify and patch vulnerabilities.

Managed Detection and Response

External experts provide 24/7 threat monitoring and incident response.

Network Segmentation

Isolating network segments to limit unauthorized access.

Storage Management

Ensuring the confidentiality, integrity, and availability of data.

Network Behavior Management

Monitoring and managing network traffic to ensure security.

Business Continuity Plan

Ensuring the continuous operation of core business functions during a cybersecurity incident.

Incident Response

PTI has established a comprehensive cybersecurity incident response process, and ensures all employees are aware of how to respond to and handle such incidents through the following measures:

Response Manual
Provide all employees with an easy-to-understand response manual, detailing descriptions of various cybersecurity incidents, reporting procedures, and handling steps for swift and orderly response.
Reporting System
PTI implements a rigorous cybersecurity reporting system to effectively manage cybersecurity incidents and strengthen review processes. This ensures that customer data and company confidential information are tightly protected.

Contact Channels
PTI establishes 24/7 emergency contact channels, including contact information for the cybersecurity incident response team, to ensure timely reporting at any time.

Scenario and Drills
PTI conducts regular annual cybersecurity incident simulations, mimicking various potential scenarios such as cyber-attacks and data breaches. These drills ensure that employees are familiar with response procedures and can quickly recover.

In the past four years, we have maintained a record of zero incidents related to data breaches, cybersecurity or network security violations, and security incidents involving customer data.

Data breach incident
0
0
0
0

Information security or cybersecurity breach
0
0
0
0

Information security incidents involving customer data
0
0
0
0