Information
Disclosure for Information Security Management
Information Security Management Strategy and Framework:
Provide a description of the information security risk management framework, information
security policies, specific management measures, and allocation of resources for information
security management. (Legal basis: Article 18, Paragraph 6, Item 1 of the Annual Report
Guidelines)
1.Information Security Risk Management Framework
Userjoy Technology Co., Ltd. established the "Information Security Committee" in the year 112
of the Republic of China to execute information operation security management planning,
establish and maintain an information security management system, coordinate the
formulation, implementation, risk management, and compliance audit of information security
and protection policies. The Information Security Committee is chaired by the General
Manager and supervised by the Chief Information Officer, who also serves as the Information
Security Officer. The department heads of various units within the company, including
Information Management Department, Product Technology Department, Platform Development
Department, are all members of the committee. Furthermore, in accordance with Article 9-1 of
the "Guidelines for Public Companies to Establish Internal Control Systems," a "Security
Office" has been established to handle information security and physical security planning
and related audit matters, and it also oversees the operation of this committee.
The Information Security Committee holds regular meetings each year to review information
security risks and corresponding protection measures and strategies, ensuring the
applicability, suitability, and effectiveness of the information security management
system's continuous operation.
2.Information Security Policy
Userjoy Technology Co., Ltd.'s information security policy covers all software and hardware
within the company. It is guided by the following principles: "1. Establish information
security management specifications that comply with regulatory requirements. 2. Achieve a
consensus that information security is everyone's responsibility through education and
awareness for all employees. 3. Protect the confidentiality, integrity, and availability of
all company information. 4. Provide a secure development and operating environment to ensure
the company's sustainable operation." The policy focuses on three main pillars of
information security protection: monitoring and early warning, intrusion defense, and data
protection. It establishes a Security Operations Center (SOC), an enterprise threat
protection system, and network and endpoint detection and response systems to enhance
defense against external attacks and protect sensitive internal data.
Through the collective efforts of all employees, the following goals are to be achieved: "1.
Protect the company's business activity information from unauthorized access or modification
and ensure its accuracy and integrity. 2. Implement information security risk assessment
mechanisms to enhance the effectiveness and timeliness of information security management.
3. Evaluate the need for establishing a backup infrastructure for critical information
security facilities to ensure system availability. 4. Implement an internal audit system for
information security to ensure the implementation of information security management. 5.
Regularly review and continuously improve the company's information security management
system."
3.Specific Management Measures
To achieve the information security policy and objectives and establish comprehensive
security protection, the following management matters and specific management measures are
implemented:
- Enhance security defense capability and risk control: Collaborate with
third-party security vendors to leverage their experienced information security
personnel for real-time monitoring and analysis. Through their dedicated 24/7 monitoring
service, timely alerts can be issued and assistance can be provided to information
personnel for appropriate risk mitigation in the event of information security threats.
- Improve security management procedures: Define the roles that relevant personnel
should play in information security operations as the basis for assigning
responsibilities and delegating authorities within each department. Regularly conduct
disaster recovery plan drills to verify the accuracy of data backups and ensure the
availability of off-site backup mechanisms.
- Enhance network, endpoint, and application security: Utilize precise AI analysis
to identify network risks and perform independent behavioral analysis for each endpoint,
continuously learning and using mathematical algorithms to detect abnormal states. This
enables rapid response to malicious attacks, minimizing potential losses in the event of
a network attack.
- Education and training: Reinforce the information security policy and operational
guidelines at least once a year through awareness campaigns and provide relevant
education and training courses for new employees to effectively enhance the information
security awareness of all employees.
- Remote work control: Implement a zero-trust architecture requiring verification
for individuals and entities attempting to connect to the organizational systems before
granting access. Multi-factor authentication (MFA) adds an additional layer of
protection to the login process, requiring users to provide additional identity
verification, such as receiving SMS or verification codes on their mobile phones when
accessing accounts or applications.
4.Allocation of Resources for Information Security Management
Information security has become a crucial aspect of company operations. The resource
allocation for corresponding security management matters is as follows:
- Dedicated manpower: Assign personnel to serve as the Chief Information Security
Officer and establish a dedicated information security unit, the "Security Office"
(consisting of one security manager and at least two security officers, totaling four
members). This unit is responsible for company information security-related policies,
risk assessments, and the development of information security tools to maintain and
strengthen information security continuously.
- Education and training: Security officers are required to complete at least eight
hours of professional security training annually. All new employees receive information
security education as part of their onboarding training. Regular information security
awareness campaigns are conducted for all employees (approximately 480 employees in the
current year). At least one social engineering exercise, simulating an attack, is
conducted annually to enhance the overall security awareness of all employees.
- Security notifications: Timely announcements are made regarding current security
news and security risk events to communicate important security regulations and
precautions.
- Security tools and services:
- Establish a Security Operations Center (SOC) - Budget allocation: 1 million
dollars.
- Implement enterprise threat domain filtering and protection - Budget allocation:
1.5 million dollars.
- Implement zero-trust network access with multi-factor authentication (MFA) -
Budget allocation: 1 million dollars.
- Deploy Network Detection and Response (NDR) systems - Budget allocation: 3
million dollars.
- Deploy Endpoint Threat Analysis and Automated Protection Services (MDR) - Budget
allocation: 1 million dollars.
- Security meetings: Conduct quarterly Security Operations Center (SOC) service
review meetings, totaling four meetings per year.