information security risk management framework

  • the company has set up an information security team, with the general manager being the convener and the head of the finance and accounting department being the deputy convener. the team members include the heads of various departments and the liaison personnel of the information security notification network.
  • the responsible unit for the company’s information security is the mis department, which coordinates information security matters, and is responsible for formulating internal information security policies, planning and implementing information security operations, as well as the promotion and implementation of information security policies.
  • the company’s internal audit office is the supervisory unit of information security supervision. the internal audit office is responsible for supervising the implementation of internal information security. if any mistake is found in regular inspections, relevant improvement plans and specific actions will be proposed by the responsible unit, and the improvement effects are regularly tracked in order to reduce internal information security risk.

information security policy

in order to enhance the security and stable operation of the company’s information and communication operations, provide secured information and communication services, and ensure the confidentiality, integrity and availability of information assets, the information security policy has been formulated as the highest guideline for the company’s information and communication security management.


all employees in the company have obligations and responsibilities to comply with information security rules and regulations, maintain company information security, ensure the safe maintenance of company data, information systems, equipment and networks, and avoid the threat of accidents caused by all kinds of improper use, leakage, tampering, theft, and destruction, to reduce related risks.

specific management plan

the company has not yet been insured under information security protection plan, but has established information security policies and other related operating standards, including physical and environmental security, network and computer security, system access control, sustainable operation of the system, information security promotion and education training, etc. which have all been carried out in accordance with the operating specifications. in 2020, we also reviewed the company’s information environment through external consultants, and reported to the board on the information security risk assessment on december 21, 2020, in an effort to further improve information security operations and ensure the company’s business continuity.