跳到主要內容區塊

Hamastar co. Website

Regarding Hamastar

Art editor Img

Information Security Management Policy

I、Purpose

        To maintain the overall information security, HamaStar Technology Co., Ltd. (hereinafter referred to as the company) strengthens the security management of various information assets, ensures their confidentiality, integrity, availability, and establishes a safe and reliable operating environment to ensure data security, system security, equipment security, and network security protect the rights and interests of the company's colleagues and related internal and external personnel. Therefore, this policy is specially formulated.

II、Scope of Application

(I)、This policy applies to all employees and outsourced personnel of the company.

(II)、To avoid improper use of data due to human negligence, deliberate or natural disasters, and other factors such as leakage, alteration, and destruction of information, which may bring various possible risks and harms to the company, the following matters should be considered and managed:

A. Information security policy formulation and evaluation.

B. Organizational information security and division of labor.

C. Human resources security.

D. Asset and risk management.

E. Access control.

F. Encryption mechanism.

G. Entity and environmental security.

H. Job safety management

I. Communications security management

J. Information system acquisition, development, and maintenance.

K. Supplier management.

L. Information security incident management.

M. Operational continuity management.

N. Compliance.

 

III、Definition of parameters and terms

not.

 

IV、 Goal

(I)、Maintain the confidentiality, integrity, and availability of the company’s information, including:

1. Protect company's business information from unauthorized access.

2. Protect the company's business information, avoid unauthorized modification, and ensure that it is correct and complete.

3. Establish an information business sustainability plan to ensure the continuous operation of the company's business.

(II)、The company's business execution must comply with the requirements of relevant laws and regulations.

 

V、Principles

(I)、All colleagues should fully understand the purpose and responsibilities of this policy.

(II)、The department head shall be responsible for the supervision, implementation, and auditing of the compliance with this policy and related operating regulations.

(III)、The company's information assets shall be regularly counted, classified, and graded, and risk assessments shall be conducted for important information assets, and appropriate protective measures shall be implemented accordingly.

(IV)、All colleagues and outsourcing vendors must handle information business in accordance with prescribed procedures and designated measures.

(V)、All colleagues and outsourcing vendors should report information security incidents and information security weaknesses through appropriate notification mechanisms.

(VI)、Anyone who endangers information security shall be investigated for civil, criminal, and administrative responsibilities and related punishments according to the seriousness of the circumstances.

(VII)、Periodically review the effectiveness of the information security management system.

 

VI、Review:

(I)、This policy should be evaluated at least once a year to reflect the latest developments in relevant laws, technology, and business and ensure the ability to maintain operations and provide services.

(II)、The company shall consider internal and external issues and stakeholders' requirements, formulate an appropriate scope of implementation of the information security management system and implement it after review and confirmation by the management.

(III)、The scope of implementation of the information security management system shall be based on changes or implementation of internal and external environments on a regular or irregular basis, such as: requirements of laws and regulations, organizational changes, the occurrence of information security incidents, implementation status of the management system, etc., in the management review meeting review and adjust to understand the needs and expectations of stakeholders, as shown in the following table. 

Table 1: Understanding the needs and expectations of stakeholders.

Internal issues External issues Stakeholder Stakeholder requirements Remarks
Organizational policies and goals Competent authority (Ministry of Economy) requirements

Competent authority (Ministry of Economics)

Various laws and regulations  
Government unit requirements Government

Various laws and regulations

 
Group Culture N/A

Insider

Organization internal norms  
Related resource requirements (including manpower, technology, budget, etc.) N/A

Insider

training  

Senior Supervisor

Performance (KPI)  
Information Security Incident Information Technology

client

Contract content (SLA)  
supplier Contract content  
ISO International Standard

ISO International Organization

ISO 27001  
Third-party audit unit  

 

VII、Implementation

This policy will be implemented after being approved by the Chief Information Security Officer, and can be notified in writing, electronically or otherwise to colleagues, organizations (institutions) related to the company's business, and vendors that provide information services, and the same applies for amendments.