Information Security Policies

1. Objectives

To strengthen the information security management of MACHVISION Inc Co., LTD (hereinafter referred to as “our company”), and assure the confidentiality, integrity, and availability of all assets and information, meet the requirements of relevant laws and regulations, protect them from deliberate or unexpected internal and external threats, the policy is therefore established.

2. Scope of application

(1)The scope of application of this policy covers all employees of our company, outsourced companies, and visitors, etc.

(2)The scope of information security management covers the following areas, to prevent any possible risk and danger from improper use, leak, tampering, and destruction of information due to human errors, deliberate damage or natural disasters, etc. The management items are as follows:

a. Establishment and evaluation of information security policies.

b. Establishment and operation of the information security organization.

c. Classification, rating, and control of information assets.

d. Management of information security risks.

e. Personnel security management and education and training.

f. Physical and environmental security.

g. Communication and operation security management.

h. Access control security.

i. Compliance of unit policies to relevant legal regulations.

3. Goals

To assure the confidentiality, integrity, and availability of our company's assets, and protect the security of user data privacy. All employees of our company make efforts together to achieve the following goals:

(1)Protect the security of information of our company's R&D, business, production, and services, and assure that the information can only be accessed by authorized personnel to protect its confidentiality.

(2)Protect the security of information of our company's R&D, business, production, and services, and prevent unauthorized modification to ensure accuracy and integrity.

(3)Ensure that the implementation of all our company's operations and services comply with the requirements of relevant laws and regulations.

4. The organization for Information Security

The Company has established an information security management committee, with the top head of the information department as the committee chairman, and is composed of network service members who implement the information security plans. The committee is responsible for external information risk assessment and resource introduction assistance, information security system establishment, information security supervision and audit, and continuous enhancement of information security concepts and awareness.

5. Information security measures

6. Continuous improvement framework

The still maintain PDCA (Plan-Do-Check-Act) cyclic management mode to ensure the attainment of goals and continuous improvement

At the end of 2021, Taiwan Stock Exchange assisted public companies with improvement on information security and management, using “Information Security Management and Control Guidelines for Public Companies” as the foundation of corporate improvement cycle.

7. Implementation and status of information security

MACHVISION is a team based on IT research and development, so it especially emphasizes and maintains the key competitiveness of research and development, in addition to the anti-virus and anti-hacking protective measures for software and hardware that many other companies have implemented.

As of 2021, the implementation of three-level information security has been completed, as described below:

(1)Data encryption management:All company data files, graphics files, and software programs are encrypted and managed. If any report and data related to customer and supplier is needed, it requires the application for approval and decryption. Only in this way, external customers and suppliers can read the report, to enable the attainment of business activities and provision of related services from the suppliers.

(2)Strengthen information security in user environment: Currently, the R&D Department of high-level information security area is restricted to personal processing information equipment. All external computers and hardware equipment can be carried inside with restriction from connecting to the internal environment of MACHVISION. Moreover, personal processing computers will be blocked from us due to improper operations. With the control of USB use in the company, since the sales and customer service will inevitably need assistance from data analysis, the Information Department installs public virus scanning computers at all floors for users to scan data for viruses before loading.

(3)Establishment of internal antivirus software and external firewall antivirus/anti-hacking.

Recently, many large companies have suffered from malicious software and computer virus attacks, which are in a complicated situation. The awareness of information security protection continues to increase. With the training and real-time assistance from the frontline information security companies, it reduces the risk of MACHVISION’s commitment to customers and shareholders and the adverse effects on operational results, finance, and prospects.

2022 Annual performance goals:

The guidelines for improvement by the committee based on Board’s feedback are described below:

(1)Continue strengthening the establishment of information security architecture.

(2)Implementation of execution: Trace cases of information security and internal information security report.

(3)Upgrade staff awareness of information security: Arrange for information security education training and testing staff with concepts of information security.

8. Information Security Risk Management Organization

The Company has established a risk management committee for information security risks, with the top head of the information department as the committee chairman and is composed of network service members who implement the information security plans. The committee is responsible for information security system establishment, technology introduction, and information security supervision and audit.

The committee is responsible for conducting information security and cyber risk assessment processes, risk analysis based on the impact levels and probabilities, and corresponding management mechanisms for high-risk environments and systems, and establishing the highly reliable architecture such as data backup and remote backup structures to mitigate the impact of information security incidents.

The committee is responsible for formulating and regularly reviewing information security policies, including information security incident reports and response mechanisms. It shall also regularly report information security inspections to the Board of Directors.

The committee’s most recent assessment report was published on December 29, 2021. The information security risk assessment covered: (1) External information security protection equipment, (2) Endpoint information security management and control, (3) Document security encryption inspection, (4) Network service activities review, and (5) Remote backup mechanism. The executive summary for the 2021 report years is as follows:

a. For external information security protection equipment: Upgrade the network firewall equipment, and import the automatic statistical analysis feature to manage the situation information platform.

b. For remote (off-site) backup mechanism: Upgrade ERP important host system to obtain high reliability and virtual server structure, and upgrade the backup servers to improve execution results.

c. Synchronization of total backup services and data: Continue to improve the implementation of executing information security process in the future and voluntary staff information security education and training.