Information Security Risk Management - Investors

【Information Security Risk Management Framework】

The company's information security-related policies, plans, measures, and technical specifications, as well as research,

implementation, and evaluation of security technologies, are handled by the IT Department. The security requirements,

usage management, and protection of data and information systems are managed by the business units. The auditing

of information security usage management is the responsibility of the Audit Office.

Users must follow the requirements of the responsible unit regarding the use of information assets and bear the

responsibility for correct operation and usage.

The IT Department reports on information operations and execution results in the monthly management meeting.

The Audit Office conducts an internal audit annually. If deficiencies are found, corrective measures will be required and

the improvements will be tracked.

An annual audit of information operations is conducted by an external auditor. If deficiencies are found, corrective

measures will be required and tracked.

【Information Security Policy】

(1) Purpose

To maintain the company's overall information security environment, strengthen the security management of various

information assets, and establish a convenient and secure electronic work environment.

This ensures the security of data, systems, equipment, and networks, as well as the proper placement of information

equipment and the feasibility and effectiveness of information security practices.

(2) Scope

The company's information security management scope includes all information assets

(including software and hardware),as well as formal employees, temporary employees, hired personnel, external

vendors, and other authorized users of the company's information assets.

(3) Definition and Objectives

Considering the importance and value of various information assets, as well as the risks posed by

human error, intentional attacks, or natural disasters, measures are implemented to prevent unauthorized use,

data leakage, malicious tampering, and damage, which could impact business operations.

Security measures proportional to the value of information assets and cost-effective management, operations,

and technology will be adopted.

To prevent unauthorized access or intentional destruction of information systems by internal or external personnel,

the company must respond quickly to security incidents to minimize financial losses and operational disruptions.

【Specific Information Security Management Measures】

(1) Host System Security:

1. To ensure the security of the host operating platform and database and to standardize operating procedures,

periodic inspections of the host should be conducted, or outsourced maintenance should be arranged.

Critical hosts must have backup or redundancy mechanisms.

2. Regularly check computers for unauthorized programs and avoid opening unknown or unnecessary files such as

.zip, .exe, .scr, .vbs, etc., to prevent Trojan horse infections.

3. Regularly update system security patches, antivirus software, and virus definitions. Do not disable system

auto-update to maintain normal operations.

4. When not in use, personal computers must be protected by passwords, locked, or logged out.

5. The use of peer-to-peer (P2P) applications, tunneling tools, or software that may harm network performance,

devices,or bandwidth, as well as personal FTP hosting, is prohibited.

(2) Network Security and Virus Prevention:

1. To ensure secure network services and usage, training for new employees must be conducted, and network

security awareness campaigns must be held periodically.

2. All company computers must have officially licensed antivirus software installed for regular scanning and

protection against malicious software.

(3) Security Management of Daily Operations:

1. Data Backup:

(1) Regular backups of critical data must be conducted to prevent accidental loss or media failure.

(2) Backup data must be stored both on-site and at an off-site location as a contingency for disasters.

(3) Periodic testing of backup data should be performed to ensure usability.

2. Password Policy:

(1) Computer accounts must have passwords and be periodically reviewed. It is recommended that passwords be

changed every three months.

(2) Passwords should be at least eight characters long and include letters and numbers.

3. Environmental Security Control:

(1) To ensure the security of related facilities, unauthorized personnel are not allowed to enter server rooms or use

related IT equipment.

(4) Network Security Planning and Management:

1. Network Security Planning:

(1) A security control mechanism for the computer network system should be established to ensure the security of

network data transmission, protect online operations, and prevent unauthorized system access.

(2) Special attention should be given to network security management for computer network systems across

organizations or regions.

2. Firewall Security Management:

(1) Interfaces connecting to external networks should be equipped with firewalls to control data transmission and

resource access.

(2) Firewalls should be managed by network administrators and remote logins should be prohibited to avoid data

theft during login.

3. Server Information Security Management:

(1) Firewalls should be set to control data transmission and resource access between the external network and the

internal network, and unused communication ports should be closed to prevent virus infections and

hacker attacks.

(2) Servers that allow external connections should prevent external access to information systems or databases.

(3) The security of server management should use encryption channels (VPN) and other security control

technologies according to the need.

(4) Systems and websites developed by each unit (including outsourced development) should undergo

vulnerability scanning and risk patching before going online; websites in operation should also conduct

necessary system and website vulnerability scans periodically.

(5) Important system configuration files, web data, server files, databases, and sensitive files should have defined

backup cycles, and backups should be performed according to the scheduled cycle or manually.

(5) Personnel Safety Education and Training:

1. New employees are required to undergo information security education and training to understand the

importance of information security, the various potential security risks, and to comply with the company's relevant

information security regulations.

2. Conduct information security education and advocacy for employees at least twice a year (with a total duration of

over three hours)to enhance awareness of the importance of information security and to prevent various potential

information security incidents.

【Resources Invested in Cybersecurity Management】

Information security is a critical issue for the company's operations, and the corresponding security management

measures and resources are as follows:

(1) Dedicated Personnel: A "Cybersecurity Team" of 10 professionals is responsible for information security planning,

technical implementation, and auditing.

(2) Certification: ISO 27001 information security certification has been obtained with no major security

audit deficiencies.

(3) Customer Satisfaction: No major security incidents or complaints related to customer data loss.

(4) Training: All new employees complete information security training before onboarding. Employees undergo at least

two online security

(5) Information Security Announcements: Produce more than five information security announcements to communicate

important regulations and precautions regarding information security protection.

(6) Supply Chain: Ensure that all newly onboarded contractors complete the information security training required by

Feedback Company.