In response to personal information protection and information security needs, Tatung Company established the Information Security and the Personal Information Protection Committee as early as 2014, continuously obtained BSI third-party certification, passed the ISO27001 information security management system verification, and ensured the security of the company's personnel, data, information systems, equipment and network in accordance with the requirements of the BS10012 personal data protection standard. To ensure the safety of the company's personnel, data, information systems, equipment and network, establishing an information security policy as the highest guiding principle of the company's information security management system, achieving the goal of "uninterrupted service, no loss of information, personal information not leaked, and enterprise sustainable operation".
The actual implementation method is based on the pre-emptive and risk reduction pre-existing issues. Through the discussion of the monthly meeting of the Information Security Monthly Meeting and the emergency response, the review of the new internal and external security issues will be carried out to the annual plan. And in the annual information security and personal information management review report, explain the implementation results of this year and the information security budget plan for the next year. The annual activities include semi-annual external auditor's audits, two outsourcing consultants' external counseling every year, and an annual internal audit of the audit committee to determine the implementation status of the information security management system and whether to achieve the information security objectives of confidentiality, integrity, availability and compliance of each service.
In response to changes in the social environment, laws and regulations, and technological advancement, Tatung has formulated a privacy protection statement. The collection, processing and use of customer data are in compliance with the "Personal Data Protection Law" and related laws and regulations and properly protect the personal data of customers. The summary of key control measures is shown in Table 4.3-1. In 2021, there was no complaint related to infringement of customer privacy or loss of customer information. In addition, in recent years, there have been cases of fake official community accounts for fraudulent use. When we were informed of such news, we immediately went to the company's official website and our social group to announce warning messages to prevent consumers from being victimized.

Structure of Tatung Information Security and the Personal Information Protection Committee

Information Security Management
Information Security & personal information Organization Members: conveners and executive officers total 15 (plus info officers of units).
Regular meetings Monthly meeting, annual management review meeting.
Audit activities Annual Internal audit, biannual external audit.
Education Training Online learning information security courses (Compulsory for new recruits), semi-annual Information Security and Personal Information Education Training, annual Information Security Officer Education and Training.
Social Engineering Semi-annual.
Host Vulnerability scan Annual first-time scan and rescan.
Information Security Alert Daily Information Security Alert notifying users, Information Security News Promotion and Announcement, Info news on company portal website biweekly report.

Regularly obtained ISO27001 certification, the current validity period of the certificate is from December 31, 2020 to December 30, 2023.

Key personal data protection management and control measures

Management systems Tatung has passed ISO 27001 certification and complies with the BS 10012 personal data protection standard.
Management and control measures
  1. Customer service personnel who contact the customer's personal information will be under strictly access control and forbidden to contact customers privately without the authorization of the supervisor to avoid the loss of important personal information.
  2. Strengthen information safety awareness: Regularly hold personal information and information security training courses and implement tests after class to ensure the employees fully understand the importance of personal information.
  3. Strengthen the security control management of website information: Import appropriate protection mechanisms and monitoring software, conduct regular penetration testing and source code detection to prevent improper access and protect customer personal data.