7. Implementation and status of information security

MACHVISION is a team based on IT research and development, so it especially emphasizes and maintains the key competitiveness of research and development, in addition to the anti-virus and anti-hacking protective measures for software and hardware that many other companies have implemented.

As of 2021, the implementation of three-level information security has been completed, as described below:

(1)Data encryption management：All company data files, graphics files, and software programs are encrypted and managed. If any report and data related to customer and supplier is needed, it requires the application for approval and decryption. Only in this way, external customers and suppliers can read the report, to enable the attainment of business activities and provision of related services from the suppliers.

(2)Strengthen information security in user environment: Currently, the R&D Department of high-level information security area is restricted to personal processing information equipment. All external computers and hardware equipment can be carried inside with restriction from connecting to the internal environment of MACHVISION. Moreover, personal processing computers will be blocked from us due to improper operations. With the control of USB use in the company, since the sales and customer service will inevitably need assistance from data analysis, the Information Department installs public virus scanning computers at all floors for users to scan data for viruses before loading.

(3)Establishment of internal antivirus software and external firewall antivirus/anti-hacking.

Recently, many large companies have suffered from malicious software and computer virus attacks, which are in a complicated situation. The awareness of information security protection continues to increase. With the training and real-time assistance from the frontline information security companies, it reduces the risk of MACHVISION’s commitment to customers and shareholders and the adverse effects on operational results, finance, and prospects.

(4)Supporting and backup mechanism: Execute the upgrade of the critical server system to high reliability, and incorporate the upgrade and improvement on the virtual server model and backup server. Develop and execute the configuration of full backup on the computers of senior managers to reduce the risks of data loss caused by malicious software and computer virus attacks.

(5)Introduction of email filtering services: The introduction of cloud email filtering services will reduce the risks of related email attacks.

(6)Establishing the management architecture of server status: Establish logs management and monitor the server service and resources status.

(7)Conduct vulnerability scanning and social engineering drills to assess internal and external environmental risks and strengthen social engineering awareness training.

(8)Implement firewall-based external network traffic monitoring and alert management mechanisms for enhanced cybersecurity control.

8. Information Security Risk Management Organization

The Company establishes the Risk Management Committee targeting risks related to information security. The chief of the IT Department serves as the convener while the network service members participating in the actual execution of information security projects form the Committee members. One dedicated information security supervisor and one dedicated personnel are assigned to take charge of the establishment of the information security system, technical introduction, and information security supervision and auditing through cooperation with colleagues from the IT Department.

The Committee conducts risk analysis on the information security and internet risk assessment procedures based on the level of risk effect and probability of occurrence. The Committee also conducts corresponding management mechanisms for high-risk environments and systems to establish the high-reliability model, data backup architecture, and remote backup model, which will reduce the impact of information security events.

The Committee formulates and regularly reviews the information security policies in addition to reporting the information security event reporting and response mechanism on the monthly information security report and anomalies review meeting. The Committee also reports the information security checks to the Board of Directors.

The last assessment report issued by the Committee is dated December 19, 2024, as shown in the annual information security report:

(1) Conclusion of 2023 information security monthly reports: Explanation on the information security management items and management anomaly events. The number of major anomaly events for 2024 is 0.

(2) Supplements to key information security management: Endpoint virus attacks and blocking records, internet and server anomaly records, external attacks detection and blocking records. Reporting on the upgrade plans of related network equipment.

(3) Guide to information security and internet management strengthening: The guide takes consideration of the 2024 information security strengthening guide from the sustainability report. In particular, the mandate to professional third-party for information security audit and diagnosis and the drills of social engineering was completed for the first half of the year. The internal advocacy and educational training for information security were also implemented in all employees.

During the meeting, it was required to strengthen the filtering and protection of junk email/phishing websites/email attacks and build up voluntary management of information security messages and management of high-risk and high-severity attacks.