• Information Security Policy

Information Security Policy

 

Information and Communication Security Management Policy

1. Purpose

To maintain the Confidentiality, Integrity, and Availability (CIA) of the information assets belonging to SuperbIN Instrument Co., Ltd. (hereinafter referred to as "the Company"), to comply with relevant regulatory requirements, and to protect user data privacy from deliberate or accidental threats, whether internal or external.

2. Scope

This policy applies to all Company personnel, outsourced service providers, and visitors. It governs all matters related to the management of information and communication security (ICS) operating standards.

To prevent risks and hazards such as improper use, leakage, tampering, or destruction of data caused by human error, intentional acts, or natural disasters, ICS management is governed by the "Statement of Applicability," "Document Management Procedure," "ICS Audit Management Procedure," and "Corrective and Preventive Management Procedure," as well as the following specific procedures:

  • ˙Policy & Evaluation: ICS Policy, ICS Objective Management Procedure, and Organizational Context Analysis Procedure.
  • ˙Organization: ICS Organization Management Procedure.
  • ˙Human Resources: Human Resource Security Management Procedure (including education and training).
  • ˙Asset Management: Information Asset Management Procedure (classification and control).
  • ˙Data Security: Data Security Management Procedure.
  • ˙Risk Management: ICS Risk Management Procedure.
  • ˙Access Control: Access Control and Password Management Procedure.
  • ˙Physical Security: Physical and Environmental Security Management Procedure.
  • ˙Operations: Operations Security Management Procedure.
  • ˙Network Security: Network Security Management Procedure.
  • ˙System Development: System Development and Maintenance Management Procedure (security in acquisition, development,
         and maintenance).
  • ˙Supplier Management: Supplier Relationship Management Procedure.
  • ˙Incident Management: ICS Threat Intelligence and Incident Management Procedure.
  • ˙Business Continuity: Business Continuity Management Procedure.
  • ˙Compliance: Regulatory Compliance Management Procedure.

3. Responsibilities

To effectively implement the Company’s ICS policy, responsibilities are assigned as follows:

  1. ICS Committee: Established by the Company, with a Chief Information Security Officer (CISO) appointed by senior management. The Committee coordinates ICS policies, plans, operations, resource allocation, and management reviews.
  2. ICS Working Group: Established under the Committee, with a designated Management Representative appointed by the CISO. The group is responsible for drafting and amending management procedures and ensuring the effective operation of the ICS Management System (ISMS). They must report ICS performance to the Committee at least once a year.
  3. Departmental Compliance: All Company units must comply with the ICS regulations formulated by the ICS Working Group.
  4. General Compliance: All employees, remote system users, and contractors must adhere to this policy and related management regulations.
  5. Legal Liability: Any actions endangering ICS shall be subject to civil, criminal, and administrative liabilities in accordance with the law and Company regulations.

4. Definitions

  • ˙Information and Communication Security (ICS): The preservation of confidentiality, integrity, and availability of information and
         communications; it may also involve properties such as authenticity, accountability, non-repudiation, and reliability.
  • ˙Confidentiality: Ensuring that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • ˙Availability: Ensuring that authorized users have access to information and associated assets when required.
  • ˙Integrity: Safeguarding the accuracy and completeness of assets
  • .
  • ˙Authenticity: Ensuring that the identity of a subject or resource is the one claimed.
  • ˙Non-repudiation: The ability to prove the occurrence of a claimed event or action, so that the event cannot be denied later.
  • ˙Accountability: Ensuring that the actions of an entity can be traced uniquely to that entity.
  • ˙Reliability: Ensuring consistent intended behavior and results.

5. Operational Objectives

The Company integrates ICS objectives across all levels and departments to establish the following overall policy goals:

  1. Confidentiality: Protect business information from unauthorized access.
  2. Integrity: Protect business information from unauthorized modification to ensure accuracy.
  3. Availability: Establish business continuity plans to ensure the continuous operation of information services.
  4. Compliance: Ensure all business execution meets relevant regulatory and legal requirements.

6. Review

This policy shall be evaluated and reviewed at least once a year to comply with government regulations, reflect trends in information and communication technology, and ensure the continued effectiveness of ICS management operations.

7. Implementation

  1. The ICS policy and its performance shall be reviewed annually during ICS Committee meetings.
  2. In accordance with the "ICS Objective Management Procedure," the Company shall use the "ICS Objective Effectiveness Measurement Table" to regularly review performance and ensure the appropriateness of policy goals at all levels.
  3. In accordance with the "Organizational Context Analysis Procedure," the Company shall use the "Organizational Context Identification Table" to analyze internal and external issues and understand stakeholder expectations.
  4. The Company shall define and annually review the "Statement of Applicability" (SoA), including the scope of the ISMS and the justification for the inclusion or exclusion of specific controls.
  5. This policy shall be implemented upon approval by the ICS Committee; the same process applies to any subsequent amendments.