NANPAO Information Security Risk Management

Information Communication Security Management Strategy and Framework

1.  Information Communication Security Risk Management Framework

(1) In 2021, our company established the "Information Security Committee," responsible for executing information operation security management planning, establishing and maintaining an information security management system, coordinating the formulation and implementation of information security and protection policies, as well as conducting risk management and compliance audits. The Information Security Committee is chaired by the CEO, with Mr. Guo Peiyi, the Associate Manager of the Information Department, serving as the Chief Information Security Officer and Executive Secretary. The committee includes senior executives from various functional units within the company, including the Next Generation Business Division, Footwear Business Division, Coating Business Division, Operations Management Division, Financial Management Division, Research and Innovation Division, Human Resources Department, Information Department, Legal Department, and Audit Office.

The Information Security Committee is chaired by the CEO, with Mr. Guo Peiyi, the Associate Manager of the Information Department, serving as the Chief Information Security Officer and Executive Secretary. The committee includes senior executives from various functional units within the company, including the Next Generation Business Division, Footwear Business Division, Coating Business Division, Operations Management Division, Financial Management Division, Research and Innovation Division, Human Resources Department, Information Department, Legal Department, and Audit Office.

Additionally, we have established the "Information Security Audit Team" and the "Information Security Execution Team," responsible for planning and auditing information security and physical security matters within the company. These teams play a leading role in the operation of the committee.

l The Information Security Management Committee is responsible for establishing information security management policies and procedures, with regular reviews and revisions.

l The Information Security Management Committee holds periodic review meetings to ensure the smooth operation of management mechanisms and reports to the Board of Directors annually.

l  The IT Department includes an Information Security Officer, cybersecurity managers, and personnel, who coordinate all cybersecurity-related policies, implementation, and the planning and establishment of the cybersecurity defense framework.

(2) Information Security Organization Structure

 

2.     Information Security Policy

Our company's information security policy extends to both the company and its subsidiaries worldwide, guided by the following principles:

(1)Strengthen information security management to ensure the confidentiality, integrity, and availability of owned information assets.

(2)Provide an information environment that ensures the continuous operation of the company's information business.

(3) Comply with relevant regulations to protect against intentional or accidental threats from internal and external sources.

The following objectives are to be achieved:

l Ensure the confidentiality, integrity, and availability of company information, along with compliance of management systems and processes with regulations.

l Strengthen in-depth defense capabilities across four dimensions: organization, personnel, processes, and technology, enhancing the resilience of core information and communication systems to ensure continuous operations.

l Regularly review the effectiveness of risk management measures and incident response procedures in light of changing internal and external cybersecurity circumstances.

l Implement protection for sensitive data and ensure proper data backup/restoration processes to prevent unauthorized use, tampering, or damage to information assets caused by human error, intentional acts, or natural disasters, thereby safeguarding business operations and protecting the company’s interests and competitiveness.

l Protect customer information and privacy appropriately, regardless of the region or country the customer is located in, and irrespective of whether local legislation exists.

To further enhance information security management, the company has implemented a comprehensive Information Security Management System (ISMS) to mitigate cybersecurity threats from system, technical, and procedural perspectives. This system establishes an information security environment that meets customer requirements. In 2022, the company obtained ISO 27001 certification, with the certificate valid from July 22, 2022, to July 22, 2025.

By establishing and implementing the PDCA (Plan-Do-Check-Act) cycle within the ISMS framework, the company continues to strengthen the daily management of information security and its ability to respond to abnormal incidents. This ensures the protection of corporate information assets and safeguards the company's competitiveness.

• Planning Phase : Emphasis is placed on information security risk management. The company introduced ISO 27001 Information Security Management System certification in 2022 to enhance information security. This certification ensures that information systems operate under standardized management practices, reducing security vulnerabilities and production abnormalities resulting from human errors. Annual reviews are conducted to continuously improve the system.
• Do Phase : The Company constructs a multi-layered information security protection mechanism and continuously integrates new risk management technologies. This is done to enhance the efficiency of detecting and responding to various information security incidents. The company also reinforces information security and network protection processes to safeguard critical assets.
• Check Phase : Regular monitoring of information security management indicators is conducted, and an annual third-party review and audit of the management system are performed. Additionally, the company commissions a cybersecurity vendor to conduct host vulnerability scans to ensure the continual enhancement of information security management and defense capabilities.
• Action Phase : Regular reviews and continuous improvement efforts are implemented. Violations of information security regulations and procedures by employees and contractors lead to appropriate disciplinary actions. Ongoing education and training for all personnel are conducted to enhance overall awareness of information security.

3. Information Security Control Measures

(1)Employee Information Security Awareness Training

Regularly conduct information security education and awareness courses, including recording online training sessions to enhance employees’ knowledge of information security and promote correct behaviors.

        A.   Training Courses：

• In 2024, all 19 new employees at headquarters completed a one-hour pre-employment information security training course.

• Information security managers and personnel are scheduled to participate in the Taiwan Stock Exchange’s "2024 Listed (OTC) Companies Information Security Video Course" from December 1, 2024, to February 28, 2025.

        B.   Awareness Programs：

• Publish bi-monthly information security policy announcements via email.

• Conducted an "Information Security Awareness Promotion" session during the weekly meeting on January 3, 2024, communicating key security regulations and precautions, with a total of 487 participants and a total duration of 122 hours.

• Additionally, the group conducted three social engineering phishing email tests in December, involving a total of 500 participants.

(2)Information System Security Management

A.    Install antivirus software on all company servers, personal computers, and laptops with automatic virus definition updates and regular review of update statuses. Endpoint Detection and Response (EDR) software is also deployed to monitor abnormal behaviors.

B.  Promptly deploy security patches for vulnerabilities on company servers, personal computers, and laptops to ensure proper system security updates.

C. Integrate cybersecurity modules into the email system, including spam filtering, malicious email detection, and email archiving and auditing functions, to enhance overall email security.

D. Perform daily backups for application systems and databases, adhering to the 3/2/1 backup principle: 3 copies of data, 2 different storage media, and 1 copy stored offsite. Conduct annual system data restoration drills and monitor daily backup results to ensure data storage security.

E.    Remove administrator rights across departments, enforce the use of company-authorized software, and comply with relevant regulations. Unauthorized and non-business-related software cannot be installed or used, ensuring software license compliance and reducing the risks of infection by viruses or backdoor programs.

F.   For outsourced information system operations, conduct careful assessments of potential security risks beforehand and sign appropriate information security confidentiality agreements with vendors.

G. Conduct annual internal audits on information security and undergo external ISO 27001 audits to ensure the implementation and improvement of management procedures.

(3)Network Security Management

A.  External-facing application systems are isolated from the external internet using firewalls, with access ports restricted to block malicious connections. Abnormal connection reports are reviewed regularly.

B.   Firewalls are deployed for external company networks to filter all inbound and outbound traffic. Traffic that violates network security is blocked, and abnormal reports are regularly reviewed for analysis and processing.

C. Private employee computer devices are monitored and unauthorized devices are detected and blocked to prevent private equipment from accessing the company network and stealing confidential information.

D. Internal firewalls are established to achieve in-depth defense objectives, protecting critical departmental information from external hacker attacks and implementing application access controls.

 (4)System Access Control

A.  When employees are newly hired, transferred, or resign, system applications must be submitted to notify cybersecurity personnel to add, adjust, or delete user access permissions, ensuring secure system access.

B.  Information systems must require account credentials, and user passwords should adhere to security principles, including length and complexity requirements, with mandatory periodic password changes.

C.  Internal application systems grant access based on job requirements. Users must submit an IT service request through the system, which is then reviewed by relevant supervisors and finalized by IT personnel who configure system permissions.

D.  For vendor system setup and maintenance operations, access permissions are restricted to necessary systems. Long-term system accounts and passwords are strictly prohibited. Short-term or temporary system accounts and passwords may be issued for vendors based on operational needs. Such accounts must be requested through the system and deactivated immediately after use.

 (5)Sustainable Cybersecurity Operations and Management

A.  Establish an Information Security Committee responsible for formulating and implementing cybersecurity policies and management procedures, reviewing security issues and response strategies, and ensuring that all employees strictly adhere to them to maintain company information security. Daily cybersecurity operations are managed by the IT department.

B.  Obtained ISO 27001:2013 certification in 2022, with the subsidiary in Vietnam also achieving the updated ISO 27001:2022 certification in 2024. Through comprehensive and implemented management procedures, the cybersecurity management system is further strengthened to protect corporate and customer information assets. Annual external audits ensure the effectiveness and continuous improvement of these management procedures.

C.   In compliance with Article 9-1 of the FSC’s "Regulations Governing Establishment of Internal Control Systems by Public Companies," the company, classified as a second-tier listed company, appointed two dedicated cybersecurity personnel in 2022, including a cybersecurity officer.

D. Develop and execute daily cybersecurity monitoring workflows. In the event of a security incident, promptly notify relevant department supervisors and cybersecurity personnel in accordance with the established incident management procedure, ensuring appropriate handling and swift recovery operations.

E.    The Information Security Committee periodically assesses the likelihood of losses caused by cybersecurity risks. If necessary, appropriate cybersecurity insurance is procured to mitigate risks and potential losses from security incidents.

4. Resources Invested in Information and Communications Security Management

To establish a defense-in-depth cybersecurity mechanism and mitigate the risk of business disruption caused by security incidents, the company ensures continuous operations to effectively support business performance. The defense-in-depth strategy encompasses network, endpoint, data, and cloud defense layers. Investments in strengthening cybersecurity across these layers include:

• Deployment of firewalls, blocking connections from unauthorized devices, enhancing encryption certificates, and creating secure Work-From-Home (WFH) connectivity that meets cybersecurity standards.

•   Implementing software patching for server and user-end vulnerabilities, controlling data-sharing channels between endpoints to block virus propagation, and establishing Storage High Availability (HA) architecture for critical system services to ensure availability.

•  Building endpoint detection and response (EDR) mechanisms to monitor endpoint anomalies effectively, identify potential intrusions, and respond promptly to minimize risks.

•    Strengthening backup equipment, adhering to the 3/2/1 backup principle, conducting Disaster Recovery (DR) drills, and planning the introduction of sensitive data protection platforms.

  In line with ISO 27001 management procedures, additional measures to enhance the cybersecurity management system include:

•      Scheduling annual vulnerability scans and improving high-risk items identified in the results to continuously enhance the quality of cybersecurity defenses.

• Conducting social engineering exercises to measure employees’ cybersecurity awareness and prevent phishing attacks on personal computers, accompanied by corresponding cybersecurity education.

    Furthermore, to stay informed on cybersecurity intelligence, the company has joined TWCERT/CC (https://www.twcert.org.tw/) as a corporate member, leveraging resources and experience sharing from domestic and international cybersecurity organizations and institutions.

 

n The Company convened the Information Security Committee on December 3, 2024, and reported to the Board of Directors on December 18, 2024, regarding the establishment and implementation status of the 2024 Information Security Risk Management Framework.

 

Information security incident management	2024
Total number of information security incidents	0
Number of information security incidents affecting customers’ personal information	0
Total number of customers affected by information security incidents	0
Total amount of fines related to information security incidents	0