Corporate
Social
Responsibility

Information Security

Information Security Management System

Pou Chen started to implement and adopt the Information Security Management System (ISMS) in 2013. Based on the international information security standard ISO27001, the Company formulated proper and appropriate information security documentation and control measures to cover related management links, including policy, organization, personnel, physical environment, network security, operation management, access control, information system development and maintenance, information security incident, disaster prevention drill, digital security management of factory networked equipment, etc.

Information Security Policy

Pou Chen’s Information Security Policy has the following objectives:
(1) To ensure the continuity of the Group’s business activities, and to protect the stable use of the information services
      provided by the Group.
(2) To ensure the confidentiality, integrity and availability of the information assets under the Group’s supervision, and to
      protect the privacy of personnel information.
(3) To establish an information business continuity plan, and to implement related information activities in accordance with
      relevant laws or regulations.

Information Security Organization and Operation

To improve its capability of information security management, Pou Chen enacted the Information Security Policy and established the “Information Security Management Committee” (ISMC). The Committee is convened by the Supervisor of the Group’s IT Department, and is responsible for the governance, planning, supervision, and implementation as well as decision-making and coordination of information security matters. Furthermore, the Committee conducts an annual review of the appropriateness of information security policy and related standards.

Pou Chen applies the Plan-Do-Check-Act (PDCA), a continuous improvement model, in its information security management system. Through the system improvement process and training, the Company continues to raise employees’ awareness of information security, reduce various risks and threats faced by information security, and build a comprehensive cyber defense infrastructure.

In addition, the Group’s IT Department conducts an annual internal self-check to ensure the effectiveness of the system. And the Company’s Internal Audit Unit also regularly submits to the Board of Directors about the inspection results of the status of information security management.

Information Security Defense Mechanism

Pou Chen established information security defense operations with five dimensions of data, process, network, device and system. Among these operations include data confidentiality management, fraud prevention advocacy, network security control, mobile device security control and connection protection control action plans. In 2018, the feasibility of information security insurance was assessed. However, considering it as an emerging insurance and the effectiveness of overall information security risk is still difficult to estimate. Currently, the Company’s information security objectives are still prioritized to strengthen the abovementioned defense operations, and the results are reported at the semi-annual meetings for operational management in order to effectively achieve the purpose of risk management and operations continuity.

Information Service Process Management

Pou Chen started to adopt the Information Technology Service Management (ITSM) in 2014. The entire process, from requirement to completion, is built on service-based and risk management-oriented to manage requirement, incident, problem, change, and configuration. The Company is committed to the integration of Service Desk and the professional ability of customer service to impose rigorous control over the service quality.

Personal Information Protection Management

(1) Pou Chen, in respect to “Personal Information Protection Act”, informs its employee the notification of personal
      information collection on the day of his/her new arrival. And a letter of consent in writing shall be given by the employee
      in person as the basis of the personal information collection.
(2) The collection, processing and use of personal information of Pou Chen shall be carried out in a way that respects the
      information subject's rights and interest, in an honest and good-faith manner, and shall not exceed the necessary scope of
      specific purposes. In possession of personalinformation shall implement proper security measures to prevent the personal
      information from being stolen, altered, damaged, destroyed or disclosed, such as file room management, system authority
      management, and personnel authority management.
(3) Pou Chen formulated “Regulations on Management of Employees’ Personal Information”, clearly regulates the
      management of employees’ information and the protection of personal information privacy, including management
      principles, data collection, filing, access, preservation and destruction.
(4) Pou Chen’s “Working Rules” regulates the non-disclosure undertakings of employees in business and duties, including
      personal information and salaries. If the personal information and salaries of others is known during the performance of
      duties, shall also be kept confidential.