Information Security

The Company strengthens IT system and network security through policies and training to reduce risks of data theft, misuse, leakage, or damage, ensuring protection of all stakeholders’ information and sustainable operations. The IT Security Task Force reviews system risks at least annually, holds ad hoc meetings if needed, and reports summaries to the Board each year.

Cybersecurity management framework

The Chief Cybersecurity Officer serves as the convener of the " Cybersecurity Promotion Team", which meets annually to review and decide on information security and information protection policies and policies, and communicates information security management, reviews policies and directions to the whole company through the " Cybersecurity Promotion Team", and implements the effectiveness of information security management measures.
The " Cybersecurity Promotion Team" is composed of at least 12 members of the " Cybersecurity Audit Unit", the " Cybersecurity Control Unit" and the " Cybersecurity Management Unit", which is responsible for the company's information security and physical security planning and related audit matters.
The Cybersecurity audit unit has 2 people to check and monitor the effectiveness of information security management, and implement supervision and audit to ensure that information security standards continue to be effective.
The Cybersecurity control unit is composed of 1 Cybersecurity chief, 1 Cybersecurity supervisor and 2 Cybersecurity personnel to establish multi-layer Cybersecurity protection, systematically monitor Cybersecurity, regularly review and implement improvement operations including information security measures, education and training, publicity and other improvement operations to ensure that important confidential information is not leaked.
The Cybersecurity management unit is responsible for managing employee behavior and physical application security by department heads. When employees violate relevant norms and procedures, they will be subject to personnel sanctions based on work rules, employee manuals, and other behavioral guidelines, depending on the severity of the violation.

Cybersecurity Management Policy Objective

The Company’s cybersecurity policy is “to maintain the confidentiality, integrity and availability of the Company’s information, to ensure the normal operation of the information system, and to avoid any impact and loss arising from human negligence, improper operation, intentional destruction and other external forces.”
1.Assuring consistency of the data in the information system with concern over information security and sharing.
2.All policies related to information operation must be assured of information security and the prevention of divulgence or missing of sensitive and confidential information.
3.Appropriate protection of information assets (including software,hardware, network communication facilities and atabase), and adoption of appropriate backup and recovery facilities and operation to prevent damage to the nformation assets caused by unauthorized operation or negligence.
4.Intensification of the education of information security policy through different channels.

Specific Cybersecurity Management Project

1、Computer Equipment Replacement Project：Old endpoints are phased out to meet Windows 11 requirements, prevent post-Windows 10 EOL security risks, and implement a device lifecycle management system.
2、Host upgrade project：Under the cybersecurity plan, a passwordless MFA system with biometric authentication via mobile app (fingerprint/face) is deployed.
3、Website Protection Project：A DDoS protection mechanism with traffic scrubbing has been implemented in collaboration with Taiwan Mobile, offering a maximum mitigation capacity of 500 Gbps.
4、Talent training projects：Train and expand management with ISO 27001 Lead Auditor certification to strengthen cybersecurity management and internal audits.

Implementation Results of Information Security Measures

Customer Privacy and Information Security Protection

In 2024, there is no report on the violation of customer privacy or complaints over customer data loss at CMC. CMC deeply understands the importance of protecting customer information and privacy and duly observes its personal information and privacy policy and thereby demands all employees protect the confidential and exclusive information delivered by the customers with caution. However, the risk and know-how of hacking into the network system or intrusion into the system changes rapidly over time. CMC has taken proper measures for information security management, and also seeks to protect information security and customer information through the following mechanisms to assure customer privacy:
1. Employees signed the non-disclosure clause as responsibility and obligations in due diligence.
2. Intensification of the education on the awareness of personal information and information security.
3. Rules and regulations governing the photocopy, fax, and keeping of confidential documents and materials at the workplace are in Place. Related rules and regulations are also applicable to computer equipment, and data storage media to assure information ecurity.
4. In the area of operation security management, only the authorized users may access information and related equipment at the time of need.
5. CMC has installed firewall and anti-virus measures to prevent hacking, and alert the employees of their responses to unidentified data and mails.