Song Chuan Precision Co., Ltd. Cyber Security Management Operation Status

This company has established information safety policies, internal control systems, and related information safety management procedures for information safety management. A dedicated information safety management organization is responsible for business promotion and implementation to ensure the appropriate protection of the company’s information assets and the confidentiality, integrity, and availability of information.

I.Cyber security risk management framework

Regarding the planning, promotion, evaluation, and audit of information security management matters, the company designates the Information Management Center as the responsible unit and sets up one designated information security supervisor and one designated information security officer, who are responsible for regularly reviewing whether the information security management policy meets the business needs of the company, as well as promoting and implementing the policy, with supervision from managers at the level of Vice General Manager or above.
The company’s cyber security dedicated unit holds meetings annually to discuss and review cyber security risk assessments and planned improvements. In 2024, a total of 1 meeting was held, and on December 27, 2024, the unit reported the information safety management performance for that year to the board of directors.

 

II.Cyber security Safety Policy

Establish an appropriate Information Safety management system to ensure the confidentiality, integrity, and availability of the company’s information assets, strengthen employees’ awareness of Information Safety, manage information equipment and network systems, and prevent information assets from being damaged or improperly used. In case of emergencies, take necessary response actions swiftly, and restore normal operation in the shortest time possible to minimize potential damages from incidents.

 

Cyber security Safety management operation:

  1. Development and implementation of information safety policies.
  2. Information Safety organization operation and execution.
  3. Information Safety Promotion and Education Training.
  4. The importance of information assets and identification of cyber security
    risks.
  5. Communication Safety management.
  6. System access control.
  7. Management of safety in system development and maintenance.
  8. Environmental safety.
  9. Information security incident reporting and response (including emergency
    response measures).

 

III.Specific management plan

  1. Clearly define the information cyber security safety related control system
    to regulate the use of information assets and ensure that behaviors comply
    with the requirements of the system.
  2. All information assets are equipped with system accounts that can be
    identified by users and necessary permission management. Unauthorized access
    is blocked to ensure the confidentiality of information assets. At the same
    time, relevant operating procedures are established to regularly review user
    accounts, privileged accounts, and their permissions.
  3. Passwords for user accounts must have a different default password applied
    each time a new account is issued. At the same time, restrictions should be
    placed on password length, minimum and maximum characters, and automatic
    lockout after multiple login failures to enhance the security of user
    accounts.
  4. Set up application firewall architecture, control user behavior and
    permissions, implement intrusion detection and defense capabilities in the
    firewall, and include virus defense, spam defense, and malicious link defense
    mechanisms. Also, keep necessary monitoring logs for management and audit
    purposes.
  5. Set up anti-virus systems with a central control platform and endpoint
    protection mechanisms to ensure the continuous updating of defense
    capabilities of information assets and compliance with cyber security
    policies. In the event of a cyber security incident, promptly identify the
    scope of impact and address the situation to ensure the availability of
    information assets and analyze the actual defense situation.
  6. Set up an active email defense system, automatically obtain the latest attack methods information and defense capabilities, resist targeted attacks (APT), spear phishing attacks, malware, phishing attacks, spam, and advertising emails, effectively reducing the loss of information assets and sensitive data.
  7. Set up a necessary data backup system so that when important information assets undergo abnormal situations, data recovery plans or asset backup work can be implemented through the data backup system. Provide availability of information assets.
  8. Regularly review whether system providers, maintainers, administrators, data owners, general users, or relevant personnel comply with Information Safety policies and related regulations.
  9. Irregular information safety promotion is conducted to enhance employees’ awareness of information security.
  10. Introduce external cyber security exercise services to verify the ability to defend against external cyber security attacks and continuously strengthen cyber security defense capabilities.
  11. Control the entry and exit of personnel in the area where important information assets are located, and monitor the safety control of the environment.
  12. Always pay attention to safety vulnerability notices and patch high-risk vulnerabilities in a timely manner.

 

IV.Invest resources into cyber security safety management.

  1. Join the Global Cyber Security Operations Center (SOC) to quickly obtain threats and vulnerabilities to various information assets in use, and to perform necessary defense work.
  2. Continuously invest resources to ensure that the software and hardware of the company’s various information assets can obtain updates to address vulnerabilities and threats.
  3. Cyber security policy related:
    (A) In November of the year 112, the company announced its Cyber security
    Safety Policy and issued a public notice.
    (B) In December 2023, in accordance with the requirements of the Cyber security Safety Policy, the internal control system related to information and communication safety was revised and announced.
  4. Cyber security awareness:
    (A) In September of the year 2024, a cyber security awareness announcement was issued to all employees.
    (B) In May and November of the year 113, cyber security awareness was issued to all employees.
  5. Education and training related:
    (A) In May 2024, one cyber security personnel obtained the ISO 27001 Lead Auditor certification, enhancing the ability to identify and control information security risks.
    (B) In October 2024, a total of 32 person-times completed the Information and Communications Safety Social Engineering Education Training Course.

 

V.Impact and Response Measures for Major Cyber security Incidents

No significant information security incidents occurred in 2024.