Information Security

In an effort to promote and implement the corporate information security management system so that it can be run continuously and consistently, the Company’s “Cybersecurity Management Committee,” formally known as the “Cybersecurity Promotion Team,” coordinates the formulation of cybersecurity policies, regulatory compliance and personnel training, while also strengthening the security and protection capabilities of the information system, equipment and network communications. By doing so, we are able to effectively reduce the risk of theft, misuse, leakage, tampering, or destruction of information assets attributed to human error, premeditation, or natural disasters, protecting the security information assets of our employees, customers, suppliers, and operations, ensuring the sustainability of the Company.

Cybersecurity management framework

The Chief Cybersecurity Officer serves as the convener of the " Cybersecurity Promotion Team", which meets annually to review and decide on information security and information protection policies and policies, and communicates information security management, reviews policies and directions to the whole company through the " Cybersecurity Promotion Team", and implements the effectiveness of information security management measures.
The " Cybersecurity Promotion Team" is composed of at least 12 members of the " Cybersecurity Audit Unit", the " Cybersecurity Control Unit" and the " Cybersecurity Management Unit", which is responsible for the company's information security and physical security planning and related audit matters.
The Cybersecurity audit unit has 2 people to check and monitor the effectiveness of information security management, and implement supervision and audit to ensure that information security standards continue to be effective.
The Cybersecurity control unit is composed of 1 Cybersecurity chief, 1 Cybersecurity supervisor and 2 Cybersecurity personnel to establish multi-layer Cybersecurity protection, systematically monitor Cybersecurity, regularly review and implement improvement operations including information security measures, education and training, publicity and other improvement operations to ensure that important confidential information is not leaked.
The Cybersecurity management unit is responsible for managing employee behavior and physical application security by department heads. When employees violate relevant norms and procedures, they will be subject to personnel sanctions based on work rules, employee manuals, and other behavioral guidelines, depending on the severity of the violation.

Cybersecurity Management Policy Objective

The Company’s cybersecurity policy is “to maintain the confidentiality, integrity and availability of the Company’s information, to ensure the normal operation of the information system, and to avoid any impact and loss arising from human negligence, improper operation, intentional destruction and other external forces.”
1.Assuring consistency of the data in the information system with concern over information security and sharing.
2.All policies related to information operation must be assured of information security and the prevention of divulgence or missing of sensitive and confidential information.
3.Appropriate protection of information assets (including software,hardware, network communication facilities and atabase), and adoption of appropriate backup and recovery facilities and operation to prevent damage to the nformation assets caused by unauthorized operation or negligence.
4.Intensification of the education of information security policy through different channels.

Specific Cybersecurity Management Project

1. Deterrence of security breach from external intrusion:
  installation of firewall, antivirus software, e-mail portal
  and related security mechanisms.
2. Alert to the employees of information security at a high level :
education of the proper concept of information security, topics
of information security in point, and case study in order to alert
  the employees of their awareness in responding to unidentified
data and mails.
3. Prevention of internal information security threat: employee sign
to declare in the non-disclosure clause, data access and
  sending of email at server shall be logged for inspection. User
ID and priority will be determined by officers at various levels
  as  dictated by the duties to perform.
4. Information Security design: automatic backup of important
data with exercise drill on backup and recovery organized from
time to time.

Implementation Results of Information Security Measures

Customer Privacy and Information Security Protection

In 2023, there is no report on the violation of customer privacy or complaints over customer data loss at CMC. CMC deeply understands the importance of protecting customer information and privacy and duly observes its personal information and privacy policy and thereby demands all employees protect the confidential and exclusive information delivered by the customers with caution. However, the risk and know-how of hacking into the network system or intrusion into the system changes rapidly over time. CMC has taken proper measures for information security management, and also seeks to protect information security and customer information through the following mechanisms to assure customer privacy:
1. Employees signed the non-disclosure clause as responsibility and obligations in due diligence.
2. Intensification of the education on the awareness of personal information and information security.
3. Rules and regulations governing the photocopy, fax, and keeping of confidential documents and materials at the workplace are in
Place. Related rules and regulations are also applicable to computer equipment, and data storage media to assure information
ecurity.
4. In the area of operation security management, only the authorized users may access information and related equipment at the time
of need.
5. CMC has installed firewall and anti-virus measures to prevent hacking, and alert the employees of their responses to unidentified
data and mails.