Under the current wave of digitalization, the importance of network, IT system and data security is increasing, and the requirements and expectations of the competent authorities and stakeholders for corporate information security are also increasing day by day. RichWave has established a cross-departmental information security management team, with the president as the convener, the information department and the administration department as the leader and planner, and each business-related unit as the executor. The information security team holds regular meetings to review the implementation status of the Company’s information security system and is required to report to the Board of Directors at least once a year on the implementation status of the Company’s information security affairs in order to obtain advice and guidance from the highest level of the Company, thereby ensuring the effectiveness of the Company’s information security management operations.
Information Security Policy and Management Plan
Information Security Policy
In order to ensure that the information services provided by the Company can be used in a stable manner and that the confidentiality, integrity and availability of information assets related to employees, suppliers and customers can be effectively protected, the “Information Security Risk Management Policy and Procedures” was established by the Company and approved by the Board of Directors on December 23, 2021. This Policy governs the cycle count of the Company’s information assets, information security promotion, corporate confidentiality, information equipment maintenance and backup, personal computer security system maintenance, and information security incident notification, in order to ensure the sustainable operation of the Company’s information business.
The Company has established information security management procedure documents to ensure the security and accuracy of the electronic data of various systems, as well as to achieve the policy goal of continuous, normal operations of the Company's business. This policy covers all the Company’s system data and information equipment, and expressly regulates the Company’s information security control operations (including access control, file management, and anti-virus measures), data processing operations, information equipment management and maintenance operations, form filling operations, and form retention period, so as to ensure that the Company’s system can effectively implement hierarchical control, important data can be properly retained, reviewed, and audited, and the information system can be fully protected and backed up; In addition, the Company also regularly conducts information security advocacy, cooperates with the information security system to construct an effective information security environment, and builds data backup systems to conduct disaster recovery drills and thus ensure the continuous operation of the Company.
Information Security Control Measures
- We have established an annual inventory check of information system assets, conduct risk management based on information security risk assessment, and implement various control measures on a regular basis.
- The Company regularly performs information security promotions and conducts information security education and training at least once a year, and all new employees are required to sign non-disclosure agreements.
- All employees of the Company, outsourced vendors, and their partner vendors shall sign a non-disclosure declaration to ensure that those who use the Company’s information, to provide information services or perform related information business, have the responsibility and obligation to protect the Company’s information assets acquired or used by them from unauthorized access, unauthorized alteration, destruction, or improper disclosure.
- Critical information systems or equipment shall have appropriate backup or monitoring mechanisms in place which shall be regularly rehearsed at least once a year to maintain their applicability.
- Anti-virus software should be installed on personal computers and virus code updates should be checked regularly, and the use of unauthorized software should be prohibited.
- The accounts, passwords and authorizations of employees should be kept and used with due diligence and changed regularly.
- We have established standard procedures for responding to and notifying information security incidents, so that information security incidents can be handled immediately to prevent the expansion of damage.
- All employees shall comply with legal regulations and information security policy requirements, and management shall supervise the implementation of the information security compliance system to strengthen employees’ awareness of information security and legal concepts.
Information Security Education and Training
In order to build up the information security concept among employees and make each employee a part of the Company’s information security protection network, RichWave provides information security education and training to each new employee and conducts information security promotion to employees through e-mail from time to time. The information security training for new employees covers topics such as introduction to the Company’s information system, introduction to the document management system, introduction to the operation of electronic forms, computer and network usage regulations, and USB usage precautions. The Company’s information security supervisor provides guidance to all new employees to ensure that they can effectively follow the Company’s information security system and regulations. The Company also continues to observe the current information security situation in society, and produces information security promotions to address high-risk issues and sends them to all employees to prevent the occurrence of hazardous incidents. Four information security promotions were conducted in 2021, covering topics such as account security management and phishing scam letters, in order to raise employees’ awareness of information security and their vigilance in using e-mail, and to remind them to change their system login passwords regularly.