1. Purpose (Policy)
Eray Tech Co., Ltd. (hereinafter referred to as "the Company") establishes this Information Security Policy (hereinafter referred to as "this Policy") to ensure the security of information data, systems, equipment and network communications, effectively reduce risks of information asset theft, misuse, leakage, tampering or damage due to human error, intentional acts or natural disasters, and establish an information security management system to ensure the confidentiality, integrity and availability of information.
- 1.1 Confidentiality: Ensure that only authorized personnel can access sensitive information.
- 1.2 Integrity: Ensure that information used is accurate and has not been tampered with.
- 1.3 Availability: Ensure that authorized users can access information and related information assets whenever needed.
2. References
- 2.1 ISO/IEC 27001:2022 (Information security, cybersecurity and privacy protection - Information security management systems - Requirements).
- 2.2 Personal Data Protection Act and its enforcement rules.
3. Content (Objectives)
- 3.1 Establish an organizational information security implementation team responsible for promoting information security work.
- 3.2 Assess the appointment and dismissal of personnel, as well as the assignment of duties. For personnel who are leaving, on leave, suspended, or transferred, a control and manpower backup system should be established. Additionally, regular information security education and training should be conducted to enhance the awareness and level of information security among personnel.
- 3.3 Establish an information asset custody system to effectively allocate, utilize and manage information resources.
- 3.4 Important facilities and special areas should be subject to enhanced control.
- 3.5 Enhance computer network defense technology to timely block external intrusions and attacks.
- 3.6 Establish information emergency response mechanisms and business continuity drill plans, and conduct regular drills and test records.
4. Revision and Announcement
This Policy is reviewed annually by the "Information Security Implementation Team" and appropriately revised when changes occur in organization, business, regulations or physical environment. This Policy is promulgated after approval by the General Manager, and the same applies to revisions.
5. Communication and Review of Information Security Policy
- 5.1 The information security policy should be communicated to all personnel in the Company annually through education and training, internal meetings, posting announcements, etc., and review implementation effectiveness.
- 5.2 This information security policy is approved by the General Manager and reviewed annually at the information security management review meeting. Its appropriateness should be evaluated at least once a year to reflect the latest status of various information security policies, regulations, technology and business, ensuring the feasibility and effectiveness of security practices.
- 5.3 All personnel of the Company are responsible for maintaining information security and shall comply with relevant information security management regulations.