Information Security Management Framework

The senior management of Simplo pays regular attention to information security issues. The responsible unit for information security is the Information Department, in charge of planning and implementing the relevant information security regulations. Moreover, the Audit Office is the audit unit for information security supervision and conducts an annual information security audit on the internal control system - electronic computer cycle, to evaluate the effectiveness of the Company's internal control of information operations.

Information Security Policy

To protect the Simplo's information assets from intentional or accidental damage and to ensure the sustainable corporate operation, this information security policy has been formulated to confirm the security of the Company's key information assets.
 

 
 

Information Security Management

The Information Department of Simplo formulates the information system management procedures. The application scope of the procedures is the use of the Company's computer information system and enterprise network resources. The Information Department seeks to ensure the accuracy and security of the Company's information and data through the formulation of these procedures and the implementation of the system by the employees, providing the management information and assisting in the processing of data of various units. The main controls of the management procedure include the following matters.

  • Use and cancellation of computer system resources- The control requirements for the use of computer system resources required by employees in their jobs, including applications for desktop/laptop use, computer software installation, control of internet access for public laptops used off-site, and cancellation of computer resource authorization and accounts of resigned personnel are regulated.

  • Data backup and disaster recovery- The control requirements for information data backup operations, by backing up server data files and database data to tapes or off-site hard disk cabinets based on the defined backup cycle and the schedule set for the software backup. The backup software sends a notification email if the backup succeeds or fails. The administrators need to handle and resolve the irregular backup instantly to ensure that the backup is completed correctly. When a disaster occurs, data recovery operations are required. The duties of relevant units are stipulated and administrators are required to conduct disaster recovery tests on a regular basis (every six months without fixed time).

  • Computer virus management- The Company's anti-virus prevention practices for computer viruses are regulated, including the installation of anti-virus software authorized by the Company on all computers and the regular update of virus codes. Regular updates of the system and security are conducted through the Windows Update server, and internet behavior is controlled through proxy and firewalls.

  • Email management- The rules for the use of email are regulated, including management of the number of recipients, the size of a single email, the management of private email sending and receiving, and the Company's emails sent and received externally.

  • Internet access management- The regulations state that internet access must be applied for. It is prohibited to browse websites not for the business purpose, such as games, shopping, music and video, gambling, social networking sites, illegal or violent content, advertisements, adult information, free internet resources, controversial websites, website without clear sources, and websites listed for special control.

  • Remote access management- The regulations state that where the Company's employees need to connect to the Company through an external network to use internal services due to business trips or other business demands, they need to use a VPN to ensure the security. The permission to use a VPN must be applied for with OTP two-factor authentication on a personal mobile device. The Information Department will review VPN usage from time to time every six months, and permission will be cancelled if it is confirmed that an account has not logged in for more than six months.

  • Management of data centers- The regulations state that data centers require access control, and control requirements for personnel without permission to access the data centers. Daily management operations are also required such as the temperature and humidity of the data centers, uninterruptible power supply (UPS), inspection of the data center environment and equipment operation status. The data center environmental control system monitors and records the environment and equipment status, automatically sending warnings of irregularities to notify the administrators for instant handling.

  • Information security meetings- Monthly information security meetings are held to verify and review the implementation of the information security policies and information management programs.


New employees of the Simplo undergo basic information security education and training when onboarding. In addition, for existing staff, information security promotion is conducted from time to time through the Company's internal portal site or email, including security of email use, security of internet use, and remote security operations.