Information Security Policy

The objective of information security of the Company is to ensure the confidentiality, integrity, availability, and compliance of important information and services. In addition, confirm the implementation status of ISMS and whether it has met the information security objective based on the definitions for all levels and functions, and the quantified index used to measure information security performance.

The Company considers internal and external topics, the needs and expectations of concerned parties, and the interface and dependency of activities between the company and other organizations. The scope of this policy and ISMS is: Femas HR cloud and the software development, operations and operational environment of corporate human resource system, including, physical office areas, cloud systems, development staff, software, operational data, system management units and related operations procedures.

The contents of ISMS are as shown below. Related units and staffs shall establish corresponding management rules or implementation plans, implement them accordingly, and conduct regular implementation performance evaluation:

(1)Information security organization and management review procedures

(2)Documents and documentation management

(3)Information security objectives and performance assessment

(4)Risks management

(5)Internal audit of information security

(6)Continuous improvement

(7)Human resource security management

(8)Asset management

(9)Access control management

(10)Physical and environmental security management

(11)Operations security and cryptography

(12)Information security management

(13)System acquisition, development and maintenance management

(14)Supplier relationships management

(15)Information security incident management

(16)Business continuity management

(17)Compliance management

The information security organization, authority and responsibility shall be clearly defined to ensure the effective operation of ISMS, allowing progresses in the promotion and maintenance of various types of management, execution and audit work.

The implementation of ISMS should follow the plan, do, check, act procedural model, through incremental steps to ensure the effectiveness and continuous improvement of the ISMS operation.

• 8.1

  This policy shall undergo review and evaluation during major change or at least once a year to reflect the latest development situation of relevant laws and regulations, technology, business, and related departments to ensure the effectiveness of information security operation.
• 8.2

  This policy shall be amended in accordance to the outcomes of the review, and enter into effect upon signed approval by the Company’s responsible person.
• 8.3

  Concerned parties, such as, customers, business partners, all employees, suppliers and so on, should be notified of the stipulation or amendments of this policy through writing, email, document management system or other methods.