1. Purpose
The purpose is to ensure confidentiality, integrity and availability of the information assets owned by the Company and meet the requirements of relevant laws and regulations, so as to avoid any internal or external deliberate or accidental threat and protect the Company’s rights and interests.

2. Applicable scope
The information security management consists of 14 security items: it is to avoid any possible risks or hazards to the Company resulting from the factors such as human-made negligence or deliberate or natural disasters and leading to situations such as improper use, leakage, alteration, and destruction of data. The management items are as follows:
2.1 Formulation and assessment of the information security policy
2.2 Organization’s information security responsibilities and division of labor
2.3 Human resources security and educational training
2.4 Management of information assets
2.5 Access control and password management
2.6 Password management
2.7 Physical and environmental security
2.8 Operational security management
2.9 Cyber network security management
2.10 Information system acquisition, development and maintenance
2.11 Supplier security management
2.12 Information security incident management
2.13 Business continuity management
2.14 Compliance (legality)

3. References
3.1 ISO/IEC 27001: 2013 (Information technology-Security techniques-Information security management systems-Requirements)
3.2 ISO/IEC 27002: 2013 (Information technology-Security techniques-Code of practice for information security management)
3.3 Reference principle for information outsourcing service operation adopted by respective agencies under the Executive Yuan
3.4 Cyber Security Management Act

4. Information security policy
To truly fulfill the Company’s information security management systems, it hereby declares that "everyone is responsible for, and the entire personnel are mobilized for, information protection and cyber security", so as to ensure effective and safe operation, supervision and management, and business continuity, and maintain the confidentiality, integrity and availability of the Company’s important information systems. The information security policy is hereby promulgated to provide the personnel with specific guidelines for their daily work and protect the Company’s rights and interests. Moreover, it’s anticipated that the entire body of colleagues could understand, implement and maintain the policy in order to achieve the Company’s operating goal. The information security policy is as follows:
4.1 To strengthen information security training and enhance information security awareness.
To supervise employees to implement information security tasks, establish the concept of “everyone is responsible for information security”, continue pertinent information security training every year, so as to raise information security consciousness. In case of any violation of regulations related to information security, the violating employees shall be subject to the relevant personnel award and punishment regulations.
4.2 To implement information security and ensure business continuity
All employees of the Company shall truly implement the information security management system to protect information assets from the risks (e.g., leakage, destruction, or loss) resulting from external threat or internal personnel’s improper management, take pertinent protection measures to reduce the risks to an acceptable level, and continue to monitor, review and audit the items of the ISMS system, so as to ensure business continuity and achieve the goal of sustainable operation.

5. Content of the information security policy
5.1 The Company’s information security management regulations shall be formulated pursuant to the provisions of relevant government regulations (e.g. Criminal Code of the Republic of China, Classified National Security Information Protection Act, Patent Act, Trademark Act, Copyright Act, Personal Data Protection Act, and Cyber Security Management Act).
5.2 To set up an information security management organization in charge of establishment and promotion of the information security system.
5.3 To regularly conduct information security educational training, and promote the information security policy and relevant enforcement regulations.
5.4 To establish a management mechanism for the mainframe and network use, so as to organize distribution and make use of resources.
5.5 To take into account the factors of risk and security prior to installation of new equipment, so as to prevent any damage to the system security.
5.6 To establish important information equipment and environmental safety protection measures.
5.7 To expressly define the network system’s access rights, so as to prevent any unauthorized access.
5.8 To formulate the internal audit plan of the information security management system, regularly review all the personnel the use of the equipment within the scope of the Company’s promotion of the information security management system and draw up and execute the remedy and prevention measures based on the audit report.
5.9 To formulate business continuity management regulations and carry out practical trainings, so as to ensure the continuous operation of the Company’s business.
5.10 All of the Company’s personnel shall be responsible for maintaining information security and shall abide by relevant information security management regulations.
5.11 There shall be express management regulations for documented information of the information security management system.

6. Responsibilities
6.1 The Company’s management shall establish and review the policy.
6.2 The information security administrator shall implement the policy through pertinent standards and procedures.
6.3 All the personnel and external contracted suppliers shall abide by various procedures required by the Company’s information security management system (ISMS), so as to maintain the specifications of the policy.
6.4 All the personnel have the responsibility to report security incidents and any identified deficiencies.
6.5 In case of any deliberate violation of the Company’s information security regulations and statutory laws and regulations, the violating personnel or external contracted suppliers shall be subject to relevant punishment or criminal liability.

7.Review
7.1 The policy shall be evaluated at least once a year to respond to the latest development of government laws and regulations, technologies and businesses, and ensure the policy’s capacity to maintain operation and provide pertinent services.
7.2 In case of any material changes, the policy shall be promptly reviewed, so as to ensure its appropriateness and effectiveness. If necessary, relevant units and cooperative suppliers shall be informed to enable joint compliance.

8.Implementation
After approval by the chief information security officer (or information security management representative), the policy will be enforced as of the date of its promulgation, and the Company’s employees and suppliers related to connection operation will be notified in writing, by email or in other appropriate manners. The same shall apply in case of any revision.

This document was last updated on Aug. 16, 2021

Popworld Inc.