Information Security Policy and Objectives
In facing the challenges of digital transformation, global competition, and sustainable development, KEMFLO firmly believes that information security issustainable business operations與Maintain stakeholder trustcore elements. KEMFLO is committed to ensuring the security of systems, data, equipment, and networks through a rigorous information security management system.Stability, Security, and Availabilityto protect the important information assets of customers, shareholders, employees, and partners, and to jointly promote a trustworthy digital environment. At the same time, we are committed to complying with relevant regulations, continuously strengthening our protective capabilities, practicing corporate governance and social responsibility, and creating long-term value for stakeholders.
To strengthen the company's information security management and ensure the safety of data, systems, and networks, an Information Security Management Office has been established as the dedicated unit for information security, which includes an information security officer and at least two or more information security personnel responsible for the planning and execution of information security affairs.
To strengthen information security governance and ensure the security of data, systems, and networks, KEMFLO's Information Security Management Office serves as the dedicated unit responsible for the planning, execution, and continuous improvement of matters related to information and communication security.
The Information Security Management Office promotes information security strategies and action plans to ensure the effective implementation of the information security management system. Through cross-departmental collaboration, it enhances the information security awareness and responsibility of all employees, jointly creating a safe, trustworthy, and sustainable operating environment. This ensures that information assets are well protected and improves the overall operational resilience.
Information Security Management Office:
Information Security Risk Management Mechanism
In order to effectively reduce information security risks and ensure the stability of company operations and the security of information assets, KEMFLO has established an information security risk management mechanism, which mainly covers the following measures:
1. Data Center Security Management
· Establish strict physical access control, allowing only authorized personnel to enter.
· Configure monitoring, fire protection, temperature and humidity control, and uninterruptible power supply systems to ensure a stable environment and equipment safety in the computer room.
2. Computer and Information File Security Management
· Establish a hierarchical access control mechanism to ensure that only qualified personnel have access.
· Regularly conduct data backup and restoration tests to ensure accuracy, integrity, and recoverability.
· Implement an audit mechanism to track and review user behavior to prevent abnormal access.
3. Network Security Management
· Deploy firewall,EDRand vulnerability scanning tools to prevent malicious attacks.
· Establish an abnormal traffic monitoring and reporting mechanism to detect potential threats in real time.
4. Email Security Management
· Establish an email filtering mechanism to block spam and malicious attachments.
· Deploy antivirus systems and anti-fraud technologies to reduce the risk of social engineering attacks.
· Regularly promote email usage guidelines to enhance employees' awareness of prevention.
5. Information System Access Control
· Implement the "Principle of Least Privilege" by assigning accounts and permissions based on job requirements.
· Establish an account management process that covers creation, modification, and deactivation to ensure access security.
Through the above measures, continuous risk assessment and improvement are conducted to strengthen cybersecurity protection capabilities, ensuring that information systems operate robustly under the three core principles of confidentiality, integrity, and availability.
Principles and Standards of Information Security
1. Education and Training Promotion
· Regularly conduct information security education and training, covering information security policies, legal regulations, operational procedures, and proper use of information technology.
· Enhance employees' awareness of information security risks and improve their consciousness of adhering to policies and regulations.
2. Computer Virus and Intrusion Protection
· Adopt measures for computer virus detection, prevention, and remediation to reduce the threat of malicious programs.
· Establish proactive intrusion detection/Defense systems promptly block malicious attacks to ensure the safety of computers and data.
3. Sustainable operation of information systems
· Establish a disaster recovery plan for information systems.
· Ensure that critical information assets and communication systems can continue to operate normally during natural disasters, human accidents, or other significant events.
Relevant regulations that employees should comply with
1. Account and Identity Management
· User accounts must be created by the information unit through an application process and are strictly prohibited from being shared.
2. Data and Equipment Protection
· Computer data and equipment must not be arbitrarily destroyed, taken out, lent, or modified without authorization to ensure integrity.
· All information equipment should be properly protected to avoid shortening its lifespan due to humidity, sunlight, or liquid exposure.
3. Legal Software Use
· It is strictly prohibited to use unauthorized or unlicensed software to avoid legal liability and information security risks.
4. Host and System Operating Specifications
· When completing tasks or after a long period of inactivity, you should immediately log out of the system to prevent data leakage or damage.
5. Personnel changes and handover
· When employees resign or change positions, the information unit should properly handle account deactivation and data transfer to avoid leaving behind risks.
6. Equipment Abnormality Reporting
· When information equipment or systems are not functioning properly, users should immediately notify the information unit for inspection or repair and must not handle it privately.
Information Security Management Plan
To ensure the security of information assets and operational stability, the company has established multi-layered information security management measures, covering the following specific plans:
· Establish firewall connection rules to prevent unauthorized access.
· Special connection requests must be formally applied for and approved before they can be opened.
· Automatically filter website links that may contain trojans, ransomware, or malicious programs.
· Comprehensive installation of antivirus software andEDRAutomatically update virus definitions.
· Reduce the risk of malware infection and spread.
· Enable the operating system's automatic update feature to ensure timely vulnerability patches.
· For devices that cannot be updated automatically, the IT department will assist in completing the updates.
· Establish an automatic email scanning and threat protection mechanism to intercept unsafe attachments, phishing emails, spam, and malicious links before they reach the user.
· The antivirus software on the receiving end andEDRWill also conduct testing again to ensure multi-layered protection.
· Important information system databases are set to automatically back up daily.
· Regularly verify the integrity and recoverability of backup files.
· Important documents from each department must be uploaded to the company's document management system or file server, where the IT department will perform unified backup and storage.
· Ensure that file versions are traceable to avoid loss or accidental deletion.
7. SOC(Security Monitoring Center)
· 建立Security Operation Centerreal-time monitoring of network traffic, automatic detection of abnormal behavior and potential attacks and security incidents.
· 提供7x24The incident reporting and response mechanism for cybersecurity at a young age shortens the handling time of cybersecurity incidents.
8. SIP(Security Intelligent Portal,Information Security Intelligence Platform)
· 建置SIPAs a centralized management platform for information security incidents, it integrates firewalls,IDS/IPSLogs and alerts of systems such as antivirus and email protection. Assist IT personnel in quickly grasping the overall information security status of the company.
· Through data analysis and intelligent models, proactively predict potential threats and provide response recommendations.
· Enhance cross-departmental collaboration efficiency, shorten incident handling and decision-making time.
Investment in information security resources
The company values information security governance and continuously invests human resources, technology, and budget resources to establish a comprehensive information security management framework to ensure stable operations and the security of information assets.
· Establish a cybersecurity management office as a dedicated unit, with the following configuration:
Information Security Officer1Name: Responsible for planning, executing, and supervising the information security program.
Information Security Personnel2名以上Responsible for daily information security operations execution and risk monitoring.
· System Upgrade and MaintenanceRegular upgrades and vulnerability patches for the operating system and key application software.
· Disaster Recovery DrillPlan and execute regular drills to ensure disaster recovery.(DRP)Effectiveness.
· Regular review mechanismThe Information Security Management Office holds monthly meetings to review the information security plans and implementation progress, ensuring that measures are effectively carried out.
· Social Engineering DrillConduct irregular simulations of phishing emails, impersonation attacks, etc., to assess employees' cybersecurity awareness.
· education and trainingContinuously strengthen the cybersecurity awareness of all employees to ensure that information security responsibilities are implemented in each unit.
· Based on the testing results and information security needs, an annual dedicated budget for information security is allocated, covering hardware and software updates, the introduction of information security services, and personnel training.
· Establish an annual resource allocation plan to ensure that cybersecurity investments align with corporate governance and sustainable development goals.
Emergency Notification Procedure
When an information security incident occurs, the company follows established procedures for reporting and handling to ensure that the incident can be detected in a timely manner, correctly classified, and effectively managed, reducing the impact on operations.
· Occurrence UnitImmediately report the incident to the Information Security Management Office.
· Reporting MethodCan be done through phone, email, or dedicated reporting system.
· Report contentAt least include the event time, location, impact scope, relevant personnel, and preliminary situation description.
· Information Security Management OfficeUpon receiving the report, immediately determine the type of incident (e.g., virus invasion, hacker attack, data breach, system anomaly, equipment theft, etc.).
· Classify events based on severity (normal, major, urgent) to determine the response level and handling methods.
· Activate emergency response procedures and take necessary actions (e.g., isolate affected systems, block accounts, suspend services).
· Notify the relevant affected departments simultaneously.
· In the case of a significant event, immediately report to senior management and notify the board of directors as necessary.
· Keep a complete record of the event, including the time of occurrence, the handling process, the decision content, and the final result.
· The Information Security Management Office conducts a review after the incident, proposes improvement measures, and incorporates them into the subsequent information security improvement plan.
According to the personal data protection law implemented by the European Union, we are committed to protecting your personal data and providing you with control over it.
By clicking "Accept All", you allow us to place cookies to enhance your experience on this website, assist us in analyzing website performance and usage, and enable us to deliver relevant marketing content. You can manage your cookie settings below. By clicking "Confirm", you agree to the current settings.
Privacy preferences
According to the personal data protection law implemented by the European Union, we are committed to protecting your personal data and providing you with control over it.
By clicking "Accept All", you allow us to place cookies to enhance your experience on this website, assist us in analyzing website performance and usage, and enable us to deliver relevant marketing content. You can manage your cookie settings below. By clicking "Confirm", you agree to the current settings.
Manage preferences
Necessary cookie
The website cannot operate without these cookies, and you cannot disable them in the system. These cookies are usually set based on your actions (i.e., service requests), such as setting privacy preferences, logging in, or filling out forms. You can configure your browser to block or prompt you about these cookies, but this may cause certain website functions to not work.
