To maintain the confidentiality, integrity, and applicability of Phison's assets and protect users' information privacy, we clearly stipulated in our information security policies that employees
shall avoid unauthorized access and revisions while respecting intellectual property rights and protecting the information of customers and the Company. Anyone who discovers information
security incidents or suspicious security weaknesses should report them to the Information Department through our reporting mechanism, at which point our Information Department personnel will conduct proper investigations and handle the matter appropriately.
It is the responsibility of all Phison personnel to follow our Information Security Policies. Company personnel who violate our information security policies shall face civil, criminal, or administrative responsibilities according to the severity of the violation, or penalties according to relevant rules. The policies are also integrated with the Company's employee performance evaluation
to reduce instances of employees being penalized or facing legal responsibilities due to information security violations and also reduce the Company's information security risks.
In accordance with ISO27001 certification guidelines, the Company conducts an annual internal audit, followed by an external audit conducted by a third-party certification. No major deficiencies have been found in recent years. The Company regularly conducts recovery drills on important core systems every year to test the effectiveness of their recovery procedures, ensuring that the Company's system can continue to operate even if subject to natural disasters or malicious attacks. The Company also performs regular vulnerability scanning and has in place a third-party security risk analysis platform to detect vulnerabilities in external service sites, continuing to improve and strengthen information security protection. The ratings are all maintained at level A (90 points and above).
The Company's Information Division organizes internal information security education and training, and quarterly announces and disseminates information about information security, so as to raise the information security awareness of all employees. The topics specified on the information security notification issued by the Information Technology Div. in 2023 include encouraging regular password changes, social engineering drill, ransom virus case study, and anti-fraud publicity. In 2023, the contents of information security training courses include enterprise information security trends, dissemination of most recent cases, information security policy, code of personnel information security conduct, and social engineering attack prevention awareness promotion (employee training hours totaling 3,762 hours), while the contents of training courses on personal data/privacy include introduction of the Personal Information Protection Act, and EU's GDPR regulations and case review (employee training hours totaling 3,669 hours). 100% employees have completed the information security courses and the personal data/privacy protection courses.