Information Security Management Policy

Information Security Management Policy : 人人做資安 資通保平安

To continuously enhance information security management and safeguard the confidentiality, integrity, and availability (CIA) of critical information systems, Ennoconn has established comprehensive information security policies and regulations. These govern personnel behavior in handling information assets. Relevant systems are reviewed regularly to ensure alignment with operational needs and adjusted as necessary to maintain a secure and resilient technology environment.

We have also established an Information Security Management Committee, responsible for minimizing, monitoring, and responding to information security threats that may compromise the company’s confidential information.Internally, we enforce access controls and endpoint security policies, restricting system access and privileges based on operational roles. Externally, network boundaries are protected through firewalls and intrusion prevention systems (IPS) to block unauthorized access attempts.

In addition to routine data backup and support mechanisms, we conduct Business Impact Analyses (BIA) for key business processes, and formulate Business Continuity Plans (BCP) accordingly. Annual disaster recovery exercises are conducted to ensure readiness in the face of disruptions.

When engaging third-party IT service providers, we follow Outsourced Information Service Management Procedures, sign Non-Disclosure Agreements (NDAs), and include confidentiality obligations in contracts. All contractors and suppliers must adhere to Ennoconn’s System Development and Maintenance Management Procedures. Vendors are evaluated annually based on their prior service delivery to ensure compliance with Ennoconn’s information security requirements.

In the event of a security incident, the IT team categorizes incidents into severity levels (Level 1 to 3) and takes appropriate actions, including isolating affected systems, disabling unnecessary functions, backing up critical data, and enhancing perimeter defenses to contain and prevent further damage. All incidents are documented using an Information Security Incident Report, maintaining clear records for traceability and future review.

Enhancing staff information security awareness and reinforcing their safeguarding responsibilities are crucial for Ennoconn’s cybersecurity management. All new hires must sign an Integrity, Confidentiality, and Intellectual Property Agreement during onboarding. Annually, the IT department provides security awareness training to all staff. For departing employees, accounts are promptly disabled per Access Control Management Procedures to prevent unauthorized system access.

A dedicated information security unit, the Information Security Management Department, has been established within Ennoconn, along with a dedicated information security supervisor and staff.

We have achieved significant milestones in our information security management. We obtained ISO-27001 certification on June 13, 2023, and successfully transitioned to the ISO-27001:2022 version on April 15, 2025. Furthermore, we reported the status of our information security risk management implementation to the Board of Directors on November 14, 2024.

Eight Standards for Information Security Management

1. Program and data access and control operations
2. Data input and output control operations
3. Data processing control operations
4. Security control operations of files and equipment
5. Purchase, use and maintenance control of hardware and system software
6. System recovery plan and test program control operations
7. Control operations of information security inspection
8. Control of public information

Information Security Management Framework

Information security incident reporting process