ASMedia’s Information Security Policy

1. The purpose of ASMedia’s information security is to ensure confidentiality, integrity and availability of the important and core system within the company. Information security metrics, or, key performance indicators (KPIs), shall be obtained at different levels within the company based on the function of each department. The information security KPIs are used to ensure that the information security management system is implemented properly to achieve security goals.
2. To attain the goals of the company and meet the expectations and requirements of the top management in regards to information security, we have established the Information Security Policy :
   • 2.1 Ensure confidentiality of all forms of business information and protect confidential information and personal information from leaking or getting lost in the company.
   • 2.2 Ensure integrity and availability of business data in order to carry out operations and conduct business properly.
3. To ensure the effective operation of the information security management system, ASMedia appointed a information security officer and a dedicated personnel at the end of 2023 to oversee the planning and implementation of the information security management framework.
4. Human Resource Security: To mitigate human factors of information security in the company, we provide information security education, trainings and disseminate related ideas to improve information security awareness among personnel.
5. Asset Management: To protect ASMedia’s information assets, we create an inventory of assets according to the regulations. We also draw up the guidelines to classify, control and measure the value of the information assets.
6. Access Control:
   • 6.1 To ensure that one needs to obtain authorization before accessing the data, we establish an access control policy that regulates the user password, registration, change, deletion and the regular review process, and also establish a clean desk and clear screen policy.
   • 6.2 To protect internet security, we design the internet service system that separates internal and external networks to control and monitor remote working and use of portable devices.
7. Password Control: We create a proper and effective password policy to protect confidentiality, identity and integrity of information.
8. Physical and Environmental Security: To ensure safety of the server room, the office and related equipment, we develop the guidelines for entrance control of the server room, equipment inspection and management. We also set out guidelines for use, management and disposition of the general data.
9. Operations and Communications Security:
   • 9.1 To ensure that the information equipment is properly and safely operated, we introduce the regulations on appropriate use of information. This helps to both prevent confidential information from leaking and build a system that prevents malware infection and blocks portable applications.
   • 9.2 To ensure integrity and availability of information assets, we establish a policy to back up data and adopt the external information system service to monitor the data.
   • 9.3 To protect internet security, we establish the internet security system and provide guidelines to monitor and protect log information.
10. System Acquisition, Development and Maintenance: To ensure safety of system development, testing, acceptance testing, launching, maintenance and information systems outsourcing, we establish the standard control procedures.
11. Supply Chain Relationships: For suppliers, we establish the supplier relationships and management policy to ensure safety of suppliers’ accessing, handling and managing of ASMedia’s information and information processing facilities. For customers, we strengthen information security management to protect personal data against theft, alteration, destruction, loss or leakage in accordance with our Personal Data Protection Policy.
12. Information Security Incident Management: To mitigate the damage of an information security incident, we establish the procedures for reporting and handling information security incidents and keep a detailed record of the incidents.
13. Information Security Aspects of Business Continuity Management: To ensure ASMedia’s business continuity, we set requirements on the information security aspects of business continuity management and establish the continuity management procedures and framework. We create the business continuity plan and conduct the BCP drill once a year.
14. Compliance: To ensure regulatory compliance in information security and compliance with any security requirements and latest technologies, we establish the relevant compliance policy.
15. Any employee who violates the regulations related to information security is liable for a breach of the regulations on information security and faces a corresponding penalty.
16. The Information Security Policy shall be reviewed by the head of the information security division and the internal auditor at least once a year to ensure that the policy complies with relevant laws and meets the requirements on latest technologies and business operations and that the implementation of information security practices is effective.
17. Any matter that is not stated in the Information Security Policy shall be handled by the related laws and the company’s rules and regulations.
18. The Information Security Policy is implemented after approval by the information security manager of the company. The same principle applies to any amendment of the policy.

Information Security Specific Management Plan

Our company established a dedicated information security unit at the end of 2023, appointing an information security officer and a security specialist to oversee, manage, and supervise all cybersecurity operations. The security engineer is responsible for handling security tasks, conducting regular vulnerability scans, social engineering exercises, and effectiveness assessments of protective systems, as well as providing security awareness programs and training courses.

Moving forward, we aim to ensure a secure cybersecurity environment through the operations of the dedicated security unit and the implementation of security policies, safeguarding the information security of all company services. Our next goal is to establish a comprehensive expert security system to strengthen our cybersecurity defense network and enhance our collective defense mechanism.

Currently, we have joined TWCERT (Taiwan Computer Emergency Response Team/Coordination Center), and personnel in the security unit have obtained cybersecurity certifications from (ISC)², the International Information System Security Certification Consortium. In the future, we will continue to expand our cybersecurity workforce, plan relevant training and certification programs, and further enhance our company's information security capabilities, making them more robust and trustworthy.

The cybersecurity-related meetings in 2023 are as follows: