Information Security Policy

  1. 1. The purpose of information security
    1. To enhance the security of the Company's information and communication operations and to prevent unauthorized access, use, control, leakage, destruction, tampering, destruction or other infringement of information and communication systems or information to ensure their confidentiality, integrity and availability. To comply with relevant laws, regulations and customer requirements in order to smoothly promote the Company's various businesses, thereby gaining the trust of customers, enhancing competitive advantages and ensuring the sustainable operation of the Company.
  2. 2. Management objectives
    1. 2.1 To ensure the confidentiality, integrity and availability of the Company's business information and the sustainable operation of the Company.
    2. 2.2 To meet or exceed information security related laws, regulations, and customer information security requirements and testing to achieve continuous and safe business operations.
    3. 2.3 To establish and continuously improve the information and communication security management system to ensure the security of the Company's information and communication and effectively reduce the risk of theft, misuse, leakage, tampering or destruction of information assets caused by human negligence, intentional or natural disasters, etc.
  3. 3. Scope of Application
    1. This policy applies to our employees, vendors and third party personnel who access our business information or provide services.
  4. 4. Organization
    1. The Company has a functional committee at the Board of Directors level, the "Ares Security Committee", which is chaired by an independent director elected by all members, and meets at least twice a year. Under this committee, an inter-departmental task force is established at the management level - the "Information and Communication Security Management Team", with the Vice President as the convener, responsible for the planning and implementation of the Company's information and communication security policies, and the formulation of the Company's information and communication security management, crisis notification and emergency response handling.
  5. 5. Management Principles
    1. The security management of information and communication covers 14 management issues of ISO/IEC 27001:2013.
    2. 5.1 Information Security Policy
    3. 5.2 Organization of information security
    4. 5.3 Human resource security
    5. 5.4 Asset management
    6. 5.5 Access Control
    7. 5.6 Cryptography
    8. 5.7 Physical and environmental security
    9. 5.8 Operational security
    10. 5.9 Communication security
    11. 5.10 System acquisition, development and maintenance
    12. 5.11 Provider relationships
    13. 5.12 Information Security Incident Management
    14. 5.13 Information security aspects of business continuity management
    15. 5.14 Compliance
  6. 6. Responsibility
    1. 6.1 The Ares Security Committee shall review this policy and the related management system, and report to the Board of Directors annually on the results of the project.
    2. 6.2 The "APC Security Management Team" shall review and revise this policy and the specific management plan in a timely manner to ensure that the policy meets current needs.
    3. 6.3 The Information Security Management Unit shall implement this policy through appropriate standards and procedures, and develop awareness of information security risks for all employees.
    4. 6.4 Department heads shall proactively promote and require their staff to understand and comply with this Security Policy and all ICT security related requirements.
    5. 6.5 All Company employees, suppliers or third party personnel who have access to relevant business information shall comply with the requirements of this policy.
    6. 6.6 It is the responsibility of all Company personnel to report any potential ATC security incidents or ATC security weaknesses, and the ATC Security Management Team will be responsible for prevention and improvement.
  7. 7. Evaluation and Review
    1. This information security policy shall be evaluated every six months or re-evaluated when there are significant changes in the organization. According to the evaluation results, the policy shall be revised as necessary.
  8. 8. Announcement and Implementation
    1. This policy was reviewed and approved by the Company's "Information and Communication Security Committee" and is disclosed on the Company's intranet, official website and annual report, and the same is true when amended.