Information Security

Purpose

To implement information security management, strengthen the security of servers and network infrastructure, reduce the risks of asset theft, misuse, unauthorized disclosure, alteration, or damage caused by human error, malicious acts, or natural disasters, and ensure the confidentiality, integrity, and availability of information assets, L&K establishes this policy as the basis for implementing appropriate information security measures.

Scope

This Policy applies to all L&K employees, contract staff, consultants, business partners, vendors, clients, and other relevant third parties.

Information Security Objectives

To maintain the confidentiality, integrity, and availability of information assets and information systems, and to protect user data privacy, L&K strive to achieve the following objectives through the collective effort of all employees:

• Continuously enhance and improve the effectiveness of information security management system. 
• Timely strengthen information security management capabilities, technical expertise, and related tools. 
• Protect business information from unauthorized access or modification, and ensure its accuracy and completeness. 
• Comply with applicable laws and regulations and ensure the continuity of business operations.

Management Unit

L&K IT Department serves as the information security management unit. It is responsible for establishing relevant policies and standards, handling information security matters, and reporting to senior management in accordance with the organizational governance structure.

Information Security Requirements

• All L&K employees, contract staff, consultants, business partners, vendors, clients, and other relevant third parties who use company’s information resources to provide services or perform project-related work are responsible for protecting the information assets they access or use, and for preventing unauthorized access, use, alteration, destruction, or improper disclosure. 
• Personnel in all departments of L&K are responsible for safeguarding the information assets under their respective duties. They shall ensure the confidentiality, integrity, and availability of critical information assets, and prevent accidental or intentional damage, alteration, unauthorized disclosure, or loss (including theft in physical or electronic form). This is intended to support the company’s business interests and comply with applicable laws and regulations.
• Maintaining and safeguarding information security is the responsibility of all personnel. Any actual or suspected information security incident or violation shall be promptly reported and addressed.
• The development, establishment, and modification of management, administrative, and technical operations shall take information security requirements into consideration.
• The obligation to protect and maintain the confidentiality of information obtained during the course of any work shall not be terminated due to changes in job duties or position.
• The collection, processing, and use of personal data shall comply with the requirements of the Personal Data Protection Act and other applicable laws and regulations.
• Access to and use of information assets, including the installation, deployment, development, use, and maintenance of hardware and software such as computers, network facilities, and information systems, shall be performed in accordance with relevant operating procedures and only with proper authorization.
• Regular information security education, training, and awareness programs shall be conducted to enhance employees’ information security awareness and improve the company’s overall information security level and management capability.
• Anti-virus and anti-hacking mechanisms shall be established to protect information systems and related assets, and to prevent improper or illegal use. These measures are intended to deter and prevent intrusions or malicious activities such as hacking and malware attacks.
• To ensure network security and prevent malware infections, licensed anti-virus software shall be deployed, unnecessary network connections and services shall be disabled, and virus definitions and scanning engines shall be updated on a regular basis.
• An emergency reporting mechanism for information security incidents shall be established. In the event of an information security incident, it shall be reported immediately to management in accordance with the incident handling procedures. A business continuity plan shall be developed as necessary based on operational requirements and shall be regularly tested and exercised.
• Information security measures shall comply with applicable laws and regulations as well as the requirements of this policy.

Review and Policy Publication

• The information security policy shall be reviewed at least annually, or upon significant changes or major incidents, to ensure alignment with applicable laws and regulations, current changes in the external environment, and the company’s latest operational status.
• This policy shall be publicized to relevant parties via email, website publication, or other appropriate means.

Policy Implementation

This information security policy shall be approved by a Vice President or above prior to implementation. Any revisions shall be subject to the same approval procedure.