Information Security Policy: (CC-12000, annual audit)
- The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
- The following content shall be included in the information security policy:
- A definition of information security, information security objectives, and scope of information security.
- An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
- A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
- Emergency procedures for reporting and handling an information security incident,along with related regulations.
- The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions andproviders of information services with network connection with the company.
- The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also beretained.
- Information security policy evaluations shall be conducted in an independent and objective mannereither internally or throughan outsourced professional institution.
- The company shall have its highest officer responsible for information security, and its board chairperson, general manager and chief audit officer to jointly issue a statement on overall implementation of the information security measures during the previous year, which will be submitted to the board of directors for approval. The statement shall be disclosed at the Market Observation Post System (MOPS) within three months after the closing of a fiscal year.