GOVERNANCE Corporate Governance

1. Information and Communication Security Policy

1-1. Information assets shall be properly protected against unauthorised access so that their confidentiality is not compromised.
1-2. Information assets shall be kept in the correct environment and with the correct transmission tools to safeguard their integrity.
1-3. The availability of information asset processing equipment shall be ensured in order to ensure the sustainability of the Company's critical business operations.
1-4.Achieve the following three objectives through the management cycle mechanism of Plan-Do-Check-Act (PDCA):
  • Information assets shall be appropriately protected to prevent unauthorized access and ensure the confidentiality is not compromised.
  • The preservation environment and transmission tools of information assets shall be accurate to ensure their integrity.
  • The availability of information asset processing equipment shall be ensured to support the continued and stable operation of critical business functions.
Planning Phase — To promote compliance with ISO 27001 certification requirements, implement information security control mechanisms into relevant systems and procedures, and integrate them into operations across core systems, support systems, and infrastructure systems.
Execution Phase — Leverage the group’s bargaining power to introduce cybersecurity control systems (MDR, endpoint management, antivirus). Internally establish relevant operational regulations and SOPs, and conduct cybersecurity drills and protection procedures.
Checking Phase — Monitor the effectiveness of information security management, introduce external audit resources to perform vulnerability scans and penetration testing to verify the effectiveness of security mechanisms.
Action Phase — Continuously review and optimize information security mechanisms to reduce gaps between objectives and actual outcomes. Establish disciplinary standards for personnel who violate information security policies.

2. Specific management solutions
2-1. Access control should be implemented in important computer rooms and regular inspections should be conducted to ensure that the equipment is functioning properly and is not infringed upon.
2-2. When logging into the company's personal computers and systems, an account/password is required. Additionally, passwords must be changed every three months. Users are also required to operate application systems within the authorized scope of their accounts. For important account permissions, an annual audit is conducted to minimize the risk of data leaks. Accounts that have not undergone a password change will be locked, and users must reapply for permissions through the 'Information Permission Addition/Change Request Form'."
2-3. Network firewalls and anti-virus software should be installed, and virus codes should be updated regularly to ensure the security of information assets and transmission.
2-4. Important information should be categorized and backed up regularly, and backup and recovery tests of computer system data should be conducted regularly every year to ensure that the impact on the company's operation can be minimized after an information security incident occurs.
2-5. Information equipment should be inspected on an annual basis. If information equipment is to be replaced, the storage media should first be disposed of by formatting and erasing the data from the storage media to be destroyed and physically destroying it with a hammer or drilling device to ensure that the storage media and data cannot be reused.
2-6.Introduce information security protection system, install and control software on hosts and endpoints, and implement real-time early warning monitoring.
2-7. The Company shall regularly review areas for further enhancement of information security management on an annual basis. In addition to improving equipment or management mechanisms, the Company should conduct further user education and training, if necessary, to reduce the likelihood of information security incidents.
2-8.We conduct quarterly social engineering drills to ensure that internal personnel are well-prepared to respond appropriately to external malicious phishing email attack incidents and have an established reporting mechanism. Necessary educational training is also provided to unfamiliar employees.
2-9.Join the cybersecurity alliance (TWCERT/CC) and regularly receive cybersecurity information.

3.Input resources for information and communication security management
3-1. Case Studies on Information Security and Information Security Awareness Promotion: 4 times in 2022 and 4 times in 2023.
3-2. Regular monthly cybersecurity meetings are held to develop action plans according to the cybersecurity prevention program. There were 12 meetings in 2022, and 10 meetings are scheduled for 2023.
3-3. Software Inventory: Establish a management system for software installations. Perform an inventory at least once a year to ensure the legal use of licensed software and to guard against malicious software.
3-4. Endpoint Protection: Check virus definition updates every 2 hours. Install endpoint monitoring agents to enhance system reliability.
3-5. Establish a firewall for protection against Distributed Denial of Service (DDOS) attacks and implement a control mechanism on the mail server to block large volumes of spam and viruses.
3-6. We have formulated a plan to introduce Managed Detection and Response (MDR) services, which is expected to be gradually implemented in 2024, with full deployment upon completion.
3-7. General Vulnerabilities and Exposures (CVE) patching for servers: Regularly check for security update information, and perform a weekly check of Microsoft operating system updates.
3-8. Disaster Recovery: Establish dedicated backup servers and related software, and formulate data backup policies for core systems. The system has a cold standby mechanism.
3-9. Disaster Recovery (DR) Drills: Conduct DR drills for core systems twice a year.

4.Organizational structure for information security
The Company has established a dedicated information security unit with two members to hold quarterly ad hoc meetings to decide on matters related to the information security system and to establish the security responsibilities of the information security management structure. The unit also reports to the Board of Directors on the implementation of information security management on an annual basis.

5. Operations
5-1.Date reported to the Board of Directors in 2024: July 30, 2024
Category Operational Situation
Management Staffing 1.Tait has set up an information security management team and appointed 2 information security personnel to be responsible for the execution of relevant operations, including system planning and establishment, personnel computer and company network permission management, firewall/anti-virus software management, data backup/backup planning and recovery drills Wait for execution.
2.Information security personnel in 2024 have received Personal Information (Security Maintenance) Law/Social Engineering Education and Training/Information Security Management and Control Guidelines, etc. in 2024, with a total of 29.5 person-times/hour courses. In 2023, 25 people/hour courses will be accepted.
Information security and control measures 1.Network firewall models will be updated in 2023. In 2024, the security patch will be updated three times and real-time notifications of disconnection events will be added to improve network resilience.
2.The email server is configured with a filtering mechanism to prevent the spread of spam. The plan is to move to the cloud in 2024.
3.System network operations are connected via MPLS VPN network to avoid malicious external access. At the same time, use HiNet enterprise security services to block external attacks.
4.The anti-virus software will be renewed for three years in June 2022. Use the second year of the contract in 2024. Check the host operation and information security patch every month and update it in real time.
5.To log in to a company-configured personal computer and use the company's internal system, you need to enter an account/password, and the password needs to be changed every three months. If the password is not changed after the expiration date, the account will be locked and the use rights will be suspended before applying. The password length setting requires at least 8 digits and should contain a combination of numbers and English letters.
6.In July 2024, an inventory of ERP system permissions will be completed to confirm that the list of users is correct.
7.In 2023, vulnerability scanning of 6 hosts and penetration testing of 3 hosts have been completed, operating system upgrades and AP OWASP vulnerability patching have been carried out. It will continue in 2024.
Information Equipment Security 1.Important system hosts are placed in professional computer rooms, and access control is provided for personnel access.
2.In 2024, information host maintenance at each point has been carried out to reduce the chance of equipment failure. and complete the hardware warranty contract.
3.A complete backup of the core system (including programs and data) will be completed in the first half of 2024, and meet the 3-2-1 backup information security requirements. Important system data is scheduled to be backed up twice a day, and the backup execution results are sent immediately via email.
4.In the first half of 2024, MDR software will be introduced to carry out security operations for proactive threat detection and response.
5.It is planned to introduce endpoint protection in the second half of 2024 and perform software and hardware control operations on terminal equipment (such as laptops, etc.).
Enhanced information security awareness 1.All new employees are required to sign a "Computer Usage Regulations Agreement" to ensure that employees understand the company's regulations on computer use, network management, software installation, etc.
2.New employees need to fill in the "New Personnel Information Permission Application Form" and set personal computer permissions after confirmation by supervisors at all levels and the information manager. And based on the job requirements, fill out the "Application Form for New Change of Information Permissions". After review and confirmation by the department supervisor, other system permissions will be provided.
3.In 2024, we will complete information security promotions on ransomware damage prevention, information security vulnerability prevention, email security, and major changes in personal information laws, etc., and conduct regular monthly promotions; set the personal computer to display relevant promotion messages after it is turned on.
4.Social engineering drills were conducted in the first quarter of this year. In addition to new colleagues, colleagues in all units have improved their security awareness. When receiving unknown emails, they can not only not click on them, but also directly report the information as soon as they receive abnormal emails. Security Department, jointly prevent information security.
5.Develop and release the "Information Security Incident Response and Internal Reporting Plan" in 2024. Standardize information security incident standards and reporting mechanisms, and compile detailed rules for the organization and division of work of response committees.
6.In 2024, we will continue to arrange online courses on information security vulnerability prevention for new recruits, and conduct online tests after the class. A total of 9 new recruits have completed the course and passed the test. 20 people will be completed in 2023.

5-2.Date reported to the Board of Directors in 2025: July 28, 2025
Category Operational Situation
Management Staffing 1. The Company has established an Information Security Management Team, with two dedicated personnel responsible for executing related operations.These responsibilities include policy planning and implementation, management of user computer and corporate network access permissions, firewall and antivirus software administration, as well as data backup planning, redundancy, and recovery drills.
2. In 2024, the Company’s information security personnel received training on the Personal Data Protection Act (Security Maintenance), social engineering, and cybersecurity control guidelines, totaling 32 participant-hours.
In 2025, the personnel completed cybersecurity courses offered by the Taiwan Academy of Banking and Finance, totaling 14 participant-hours, and passed the related assessments.
Information security and control measures 1. In 2024, three security patches were applied, and real-time disconnection alerts were added to enhance network incident response capabilities.
2. A filtering mechanism was configured on the email server to prevent the spread of spam messages. A migration to a cloud-based solution is planned for 2025.
3. System network operations utilize MPLS VPN connections to prevent unauthorized external access. In addition, HiNet enterprise security services are employed to block external attacks.
4. Antivirus software was renewed in June 2022 under a three-year contract. The software is in its third year of use as of 2025. Security patches for operating systems on servers are reviewed monthly and updated in real time.
5. Logging into company-issued personal computers and accessing internal systems requires account ID and password authentication. Passwords must be changed every three months; accounts will be locked if the password is not updated within the required period, and access will be suspended until a formal request is submitted. Passwords must be at least 8 characters in length and include a combination of numbers and letters.
6. In July 2024, a review of ERP system access permissions was completed, confirming the accuracy of the user list. The review for 2025 is scheduled to be conducted in July.
7. In 2024, vulnerability scans were completed on six servers and penetration tests were conducted on three servers. This included operating system upgrades and remediation of application vulnerabilities based on OWASP guidelines. The 2025 assessments are scheduled for September.
Information Equipment Security 1. Critical system servers are housed in a professional data center with access control measures in place to regulate personnel entry.
2. In 2024, a maintenance inspection was conducted on information servers at all locations to reduce the risk of equipment failure, and hardware warranty contracts were completed. In 2025, server inspections and maintenance at all locations have also been completed.
3. In 2024, a full backup of the core systems—including programs and data—was completed, in compliance with the 3-2-1 backup security standard. Critical system data is backed up twice daily on a scheduled basis, and the backup results are sent out immediately via email. In 2025, in response to the upgrade to VMware 8.0, the backup processes have been revised accordingly.
4. In 2024, MDR (Managed Detection and Response) software was fully implemented to carry out proactive threat detection and cybersecurity incident response. In 2025, alert optimization was conducted to reduce unnecessary notifications.
5. In the second half of 2024, endpoint protection was implemented to enforce USB access control. In 2025, software installation control measures are being introduced, with implementation scheduled for October.
Enhanced information security awareness 1. All new employees are required to sign the “Computer Usage Policy Agreement” to ensure they understand the company’s regulations regarding computer use, network management, software installation, and related policies.
2. New employees are required to complete the “New Employee Information Access Application Form.” After confirmation by relevant supervisors and the IT manager, personal computer access permissions are granted. Additional system access may be provided based on job requirements, upon submission of the “Information Access Addition/Modification Application Form,” and approval by the department manager.
3. In 2024, regular cybersecurity awareness campaigns were conducted covering topics such as ransomware prevention, vulnerability mitigation, email security, and major amendments to the Personal Data Protection Act. Awareness messages are set to display upon startup of personal computers. As of 2025, six sessions have been completed, with monthly campaigns ongoing.
4. In 2024, four social engineering drills were conducted. Excluding new employees, staff across departments demonstrated increased cybersecurity awareness—upon receiving suspicious emails, they not only refrained from clicking on them but also promptly reported such incidents to the Information Security Department, thereby enhancing collective defense against cyber threats. As of 2025, one social engineering drill has been completed.
5. In 2024, the “Information and Communication Security Incident Response and Internal Reporting Plan” was established and released. It defines the standards and reporting mechanisms for security incidents, outlines the organization of the response committee, and specifies detailed roles and responsibilities. A drill is scheduled for 2025, with implementation planned for December.
6. In 2024, an online course on cybersecurity vulnerability prevention was arranged for new employees, followed by an online assessment. A total of 33 new employees completed the course and passed the test. As of 2025, 15 new employees have completed the training.
6. Major Information and Communication Security Incidents:
  • No major information and communication security incidents occurred in 2024/2025. Most incidents were hardware failures, all of which were resolved within the originally defined SLA timeframe.

7. Information and Communication Security Risks and Mitigation Measures
  • Achieved the required standards of the SecurityScoreCard (SSC) platform—exceeding the industry average—and continuously addressing potential cybersecurity risks.
  • Implemented a globally recognized MDR system to respond to risk alerts in real time. Established a corresponding SOP knowledge base to reduce response time.
  • Conduct annual security incident reporting and disaster recovery drills on selected core systems, with continuous review and optimization of response strategies.
TOP
Customer Service Hotline:0800-652-008

Company Tel:+886-2-2721-6600

  • The content of this website is protected by the Copyright Act. Unless specified otherwise, the copyright belongs to the Tait Marketing & Distribution Co., Ltd., or its other content providers. No image or text or part of the image or text content may be reproduced, reprinted, distributed, quoted, modified, disseminated or used in other ways without the consent or authorization from the Company.
  • Copyright ©Tait Marketing and Distribution Co., Ltd. All Rights Reserved.

UNDERAGE PLEASE DON’T DRINK ALCOHOL