ESG-Information Security

持續創新改善全員追求卓越

Continuous innovation and improvement
All employees pursue excellence

Cyber Security Risk Management Framework

The Company Cyber Security Governance Organization

LASER TEK established “Cyber Security Committee” and the Cyber Security Committee is composed of the Executive Office, Policy and Audit Unit, Education and Training Unit, and Cyber Security Technology Unit to coordinate information security management-related policy formulation, implementation, risk management, and compliance audits, with the general manager supervising information security and network security strategies. And the vice president serves as the Chief Information Security Officer (CISO), responsible for supervising the executive office to establish and maintain information security and network security strategies and procedures to protect the company's assets.

LASER TEK Cyber Security Committee Organization Structure

Information Security Policy

Purpose	To ensure the smooth operation of the company's business, prevent information or information and communication systems from unauthorized access, use, control, leakage, destruction, tampering, deletion, or other infringements, and to ensure their Confidentiality, Integrity, and Availability, this policy is formulated for all employees to follow:
Scope	Effectively manage information assets, continuously conduct risk assessments, and take appropriate protective measures. Protect information and information and communication systems from unauthorized access, maintaining the confidentiality of information and systems. Protect against unauthorized modifications to ensure the integrity of information and information and communication systems. Ensure that authorized users can access information and information and communication systems when needed. Comply with legal and regulatory requirements. Assess the impact of various man-made or natural disasters, and establish recovery plans for core information and communication systems to ensure the continuity of core business operations. Implement information and communication security education and training to enhance employees' information security awareness. Implement a reward and punishment mechanism for personnel involved in information and communication security matters during business operations.

Purpose

To ensure the smooth operation of the company's business, prevent information or information and communication systems from unauthorized access, use, control, leakage, destruction, tampering, deletion, or other infringements, and to ensure their Confidentiality, Integrity, and Availability, this policy is formulated for all employees to follow:

Scope

Effectively manage information assets, continuously conduct risk assessments, and take appropriate protective measures.
Protect information and information and communication systems from unauthorized access, maintaining the confidentiality of information and systems.
Protect against unauthorized modifications to ensure the integrity of information and information and communication systems.
Ensure that authorized users can access information and information and communication systems when needed.
Comply with legal and regulatory requirements.
Assess the impact of various man-made or natural disasters, and establish recovery plans for core information and communication systems to ensure the continuity of core business operations.
Implement information and communication security education and training to enhance employees' information security awareness.
Implement a reward and punishment mechanism for personnel involved in information and communication security matters during business operations.

Specific Management Measures

We formulated 22 measures through four aspects of cyber security protection including data access control, network information security, education training, check and business continuity. According to attack change and trend to review and adjust for implementing comprehensive cyber security protection and protect the quality of information security in the supply chain with the highest standards.

Investment in Information and Communication Security Management Resources

To address the risks faced by enterprises in information security, such as ransomware attacks, BEC business fraud, APT advanced persistent threats, social engineering scams, remote work vulnerabilities, and business continuity issues, the company continuously trains employees to raise information security awareness, keeps up with trends in information security topics, and continuously implements relevant solutions to prevent threats from malicious attacks. The company has increased its budget for information and communication security training and solutions in recent years, with the following improvements:

Information Security Systems and Policies	6 new information security mechanisms and systems added in 2024. Full computer backup for all employees. Cloud offline backup. Information security web page. Web encryption. Email encryption. Obtained the highest domestic information security certification.
Drills	Social engineering: 6 times in 2022, 4 times in 2023, 4 times in 2024. Disaster recovery drills: once in 2022, once in 2023, once in 2024.
Training	100% new employee training: all new employees completed information security education and training, with a 100% completion rate in 2022 and 2023; in 2024, 24 new employees were trained, with a 100% completion rate. All-employee training: quarterly company-wide information security training to communicate the latest important information security matters, 4 times in 2022, 4 times in 2023, 2 times in 2024. External professional information security training hours: 52 hours in 2024.
Promotion	Promotional posters: posted on bulletin boards to communicate important information security matters, 6 posters in 2022, 22 in 2023, 22 in 2024. Promotional announcements: communicate important information security matters, 11 announcements in 2022, 6 in 2023, daily announcements in 2024.
Information Security Incidents	2 information security incidents in 2024: 1. Forged vendor scam email attack 2. Email attachment impersonating PDF attack. 2 information security incidents in 2023. 2 information security incidents in 2022.
Incident Improvement	Strengthened spam filtering system. Enhanced protection against possible forged attachments.
Future Plans & Continuous Improvement	Implement remote multi-factor authentication. Deploy edge firewalls. Implement automated configuration management. Implement information security incident tracking system. Implement intranet control system. Implement email DKIM.

Significant Cyber Security Incidents Notification Process

When the cyber security incident happened, employees should immediately notify the unit window, supervisor and executive office in accordance with the . The executive office will classify it according to the company's standards for convenience. Follow-up processing, and conduct damage impact assessment and draft improvement plans for cyber security incidents. If the cyber security incident is a major abnormality and the suspected leak incident should be reported to the administration department, if the leak is true, it will be handled by the legal/human resource sector according to law or company regulations . In 2024, the company has not discovered any major cyber security incidents, or may have an adverse impact on the company's business and operations, nor has it been involved in any related legal cases or regulatory investigations.