To ensure that our company's ISMS (Information Security Management System) meets practical needs, we have established an Information and Communication Security Management Policy. By maintaining the confidentiality, integrity, and availability of our important information systems, we support smooth business operations. This policy serves as a high-level guideline, and all employees and outsourced vendors are obligated to actively participate in its implementation. The goal is to ensure the secure operation of all information systems and encourage everyone to understand, implement, and maintain security measures for continuous business operation.

• Implementing Information Security to Enhance Service Quality

The ISMS must be strictly enforced to ensure the confidentiality, integrity, and availability of all data-related operations. This prevents risks such as data leaks, damage, or loss due to security threats. Appropriate protective measures should be selected to reduce risks to an acceptable level. Continuous monitoring, review, and auditing of the information security management system will help enhance service quality and improve overall service standards.

• Strengthening Security Training to Meet Legal Requirements

Security training should be reinforced to ensure that all employees comply with information security management. Ongoing security education and training will establish the principle that "Information security is everyone's responsibility." Employees must recognize the importance of complying with relevant laws and regulations. By doing so, they can improve their understanding of security risks and enhance their ability to mitigate threats while adhering to legal requirements, such as the Information Security Management Act and Personal Data Protection Act.

• Business Continuity Planning and Rapid Disaster Recovery

A contingency plan and disaster recovery plan for key business-critical information systems should be established. Emergency response drills should be conducted every two years to ensure prompt recovery in case of system failures or major disasters. This guarantees the continuous operation of essential systems and supports the company's key business functions.

• Proper Use of Personal Data and Prevention of Data Leaks

Personal data should be classified and assessed to determine protection needs and appropriate security measures. Access control mechanisms should be established, and encryption/security measures should be applied for data transmission and sharing. Regular assessments of outsourced vendors' compliance should be conducted, along with contractual agreements to ensure data security. Employee training should be strengthened to enhance awareness of personal data protection. A monitoring and auditing system should be established to track data usage, access, and transmission while promptly detecting and responding to abnormal activities or security incidents. When personal data is no longer needed, it should be securely and permanently deleted.