1.Purpose

Femas HR (hereinafter referred to as “the Company”) strives to enhance its information security management ensuring the confidentiality, integrity, and availability of the Company’s information assets. It is also to provide the necessary information environment and structure for the continuous operation of the Company’s business, and to meet the requirements of relevant laws and regulations avoiding any impacts brought about by internal and external intentional or accidental cases. This policy is specially established (hereinafter referred to as “this Policy”) as the highest guiding principle on the Company’s Information Security Management System (ISMS).

2.Objective

The objective of information security of the Company is to ensure the confidentiality, integrity, availability, and compliance of important information and services. In addition, confirm the implementation status of ISMS and whether it has met the information security objective based on the definitions for all levels and functions, and the quantified index used to measure information security performance.

3.Scope

The Company considers internal and external topics, the needs and expectations of concerned parties, and the interface and dependency of activities between the company and other organizations. The scope of this policy and ISMS is: Femas HR cloud and the software development, operations and operational environment of corporate human resource system, including, physical office areas, cloud systems, development staff, software, operational data, system management units and related operations procedures.

4.Target and responsibility

  • (1)
    All internal staff, service suppliers, visitors, and so on under the Company’s scope shall abide to this policy and each of the ISMS procedure
  • (2)
    Any behavior that jeopardizes information security shall be penalized in accordance with, if necessary, the civil and criminal liability and administrative responsibility or relevant regulations of the Company.

5.Coverage

The contents of ISMS are as shown below. Related units and staffs shall establish corresponding management rules or implementation plans, implement them accordingly, and conduct regular implementation performance evaluation:

(1)Information security organization and management review procedures

(2)Documents and documentation management

(3)Information security objectives and performance assessment

(4)Risks management

(5)Internal audit of information security

(6)Continuous improvement

(7)Human resource security management

(8)Asset management

(9)Access control management

(10)Physical and environmental security management

(11)Operations security and cryptography

(12)Information security management

(13)System acquisition, development and maintenance management

(14)Supplier relationships management

(15)Information security incident management

(16)Business continuity management

(17)Compliance management

6.Organization, authority and responsibility

The information security organization, authority and responsibility shall be clearly defined to ensure the effective operation of ISMS, allowing progresses in the promotion and maintenance of various types of management, execution and audit work.

7.Implementation principles

The implementation of ISMS should follow the plan, do, check, act procedural model, through incremental steps to ensure the effectiveness and continuous improvement of the ISMS operation.

8.Review and evaluation

  • 8.1
    This policy shall undergo review and evaluation during major change or at least once a year to reflect the latest development situation of relevant laws and regulations, technology, business, and related departments to ensure the effectiveness of information security operation.
  • 8.2
    This policy shall be amended in accordance to the outcomes of the review, and enter into effect upon signed approval by the Company’s responsible person.
  • 8.3
    Concerned parties, such as, customers, business partners, all employees, suppliers and so on, should be notified of the stipulation or amendments of this policy through writing, email, document management system or other methods.