Information Disclosure for Information Security Management

Information Security Management Strategy and Framework:

Provide a description of the information security risk management framework, information security policies, specific management measures, and allocation of resources for information security management. (Legal basis: Article 18, Paragraph 6, Item 1 of the Annual Report Guidelines)

1.Information Security Risk Management Framework

Userjoy Technology Co., Ltd. established the "Information Security Committee" in the year 112 of the Republic of China to execute information operation security management planning, establish and maintain an information security management system, coordinate the formulation, implementation, risk management, and compliance audit of information security and protection policies. The Information Security Committee is chaired by the General Manager and supervised by the Chief Information Officer, who also serves as the Information Security Officer. The department heads of various units within the company, including Information Management Department, Product Technology Department, Platform Development Department, are all members of the committee. Furthermore, in accordance with Article 9-1 of the "Guidelines for Public Companies to Establish Internal Control Systems," a "Security Office" has been established to handle information security and physical security planning and related audit matters, and it also oversees the operation of this committee.

The Information Security Committee holds regular meetings each year to review information security risks and corresponding protection measures and strategies, ensuring the applicability, suitability, and effectiveness of the information security management system's continuous operation.

2.Information Security Policy

Userjoy Technology Co., Ltd.'s information security policy covers all software and hardware within the company. It is guided by the following principles: "1. Establish information security management specifications that comply with regulatory requirements. 2. Achieve a consensus that information security is everyone's responsibility through education and awareness for all employees. 3. Protect the confidentiality, integrity, and availability of all company information. 4. Provide a secure development and operating environment to ensure the company's sustainable operation." The policy focuses on three main pillars of information security protection: monitoring and early warning, intrusion defense, and data protection. It establishes a Security Operations Center (SOC), an enterprise threat protection system, and network and endpoint detection and response systems to enhance defense against external attacks and protect sensitive internal data.

Through the collective efforts of all employees, the following goals are to be achieved: "1. Protect the company's business activity information from unauthorized access or modification and ensure its accuracy and integrity. 2. Implement information security risk assessment mechanisms to enhance the effectiveness and timeliness of information security management. 3. Evaluate the need for establishing a backup infrastructure for critical information security facilities to ensure system availability. 4. Implement an internal audit system for information security to ensure the implementation of information security management. 5. Regularly review and continuously improve the company's information security management system."

3.Specific Management Measures

To achieve the information security policy and objectives and establish comprehensive security protection, the following management matters and specific management measures are implemented:

  • Enhance security defense capability and risk control: Collaborate with third-party security vendors to leverage their experienced information security personnel for real-time monitoring and analysis. Through their dedicated 24/7 monitoring service, timely alerts can be issued and assistance can be provided to information personnel for appropriate risk mitigation in the event of information security threats.
  • Improve security management procedures: Define the roles that relevant personnel should play in information security operations as the basis for assigning responsibilities and delegating authorities within each department. Regularly conduct disaster recovery plan drills to verify the accuracy of data backups and ensure the availability of off-site backup mechanisms.
  • Enhance network, endpoint, and application security: Utilize precise AI analysis to identify network risks and perform independent behavioral analysis for each endpoint, continuously learning and using mathematical algorithms to detect abnormal states. This enables rapid response to malicious attacks, minimizing potential losses in the event of a network attack.
  • Education and training: Reinforce the information security policy and operational guidelines at least once a year through awareness campaigns and provide relevant education and training courses for new employees to effectively enhance the information security awareness of all employees.
  • Remote work control: Implement a zero-trust architecture requiring verification for individuals and entities attempting to connect to the organizational systems before granting access. Multi-factor authentication (MFA) adds an additional layer of protection to the login process, requiring users to provide additional identity verification, such as receiving SMS or verification codes on their mobile phones when accessing accounts or applications.

4.Allocation of Resources for Information Security Management

Information security has become a crucial aspect of company operations. The resource allocation for corresponding security management matters is as follows:

  • Dedicated manpower: Assign personnel to serve as the Chief Information Security Officer and establish a dedicated information security unit, the "Security Office" (consisting of one security manager and at least two security officers, totaling four members). This unit is responsible for company information security-related policies, risk assessments, and the development of information security tools to maintain and strengthen information security continuously.
  • Education and training: Security officers are required to complete at least eight hours of professional security training annually. All new employees receive information security education as part of their onboarding training. Regular information security awareness campaigns are conducted for all employees (approximately 480 employees in the current year). At least one social engineering exercise, simulating an attack, is conducted annually to enhance the overall security awareness of all employees.
  • Security notifications: Timely announcements are made regarding current security news and security risk events to communicate important security regulations and precautions.
  • Security tools and services:
    • Establish a Security Operations Center (SOC) - Budget allocation: 1 million dollars.
    • Implement enterprise threat domain filtering and protection - Budget allocation: 1.5 million dollars.
    • Implement zero-trust network access with multi-factor authentication (MFA) - Budget allocation: 1 million dollars.
    • Deploy Network Detection and Response (NDR) systems - Budget allocation: 3 million dollars.
    • Deploy Endpoint Threat Analysis and Automated Protection Services (MDR) - Budget allocation: 1 million dollars.
  • Security meetings: Conduct quarterly Security Operations Center (SOC) service review meetings, totaling four meetings per year.