To protect the information assets and privacy of the Company, customers, and partners, GMTC obtained ISO 27001: 2022 certification from the third-party verification agency AFNOR Asia (certificate number: TTI06051-00, issued on January 31, 2024, which valid until January 31, 2027) at the end of 2023. Through the implementation of ISO 27001, GMTC has established an information security organizational structure to promote and implement related operations. It uses the PDCA (Plan-Do-Check-Act) cycle management to track and improve information security goals and effectiveness. GMTC follows ISO 27001 management system guidelines to plan and execute information security policies and enhances employee information security awareness through training courses, creating a robust security network to ensure the protection of confidential information of the Company, customers, and partners, achieving the goals of GMTC's information security and sustainable operations.

ISO 27001 Certification

In addition, in order to obtain external information security intelligence or share relevant information security intelligence, the Company has joined Taiwan Information Security Alliance (CERT/CSIRT Alliance) of Taiwan Cyber Risk Management and Coordination Center (TWCERT/CC). Members strengthen the Company's information security structure by sharing information security intelligence.

"Enhancing Information Security Awareness", "Ensuring Business Continuity"

To ensure that GMTC's various information security management systems are effectively implemented, operated, monitored, and continuously maintained, and to protect the confidentiality, integrity, and availability of the company's critical information systems, the Company has issued this information security policy. This policy provides clear guidelines for employees in their daily work, protecting their rights and interests. It is expected that all employees understand, implement, and maintain this policy to achieve the Company's operational goals.

Enhance Information Security Awareness

Supervise and educate all employees to implement information security in the spirit of self-discipline, autonomy and mutual prosperity, establish the concept of "Information Security is Everyone's Responsibility", and continue to conduct appropriate information security training and dissemination every year to enhance information security awareness. If there is any violation of the relevant regulations on information security, the responsible personnel will be held accountable according to the relevant regulations on personnel rewards and punishments.

Ensure Business Continuity

All employees of the Company thoroughly implement the information security management system to protect various information assets from risks such as data leakage, destruction, or loss due to external threats or improper management by internal personnel. To an acceptable level, we continue to monitor, review and audit the information security management system to ensure the continuous operation of various information systems and achieve the goal of sustainable operation.

As per the requirements of the competent authorities, GMTC has reported to the Board of Directors to set up a dedicated information security supervisor and information security personnel, and completed the submission to the competent authorities, as well as complied with the ISO 27001: 2022 management system to establish an information security working group (a total of 9 members), responsible for formulating internal information security policies, planning and executing information security operations, promoting and implementing information security policies, and regularly reporting to the Board of Directors on the Company's information security governance profile.

The Auditing Office is the unit that supervises information security supervision. It has an audit officer and full-time auditors responsible for supervising the implementation of internal information security. If any defects are found during the audit, the audited unit will be requested to propose relevant improvement plans immediately, and improvement results are regularly tracked to reduce internal information security risks.

Organizational operations - The PDCA (Plan-Do-Check-Act) method is adopted to achieve circular management, so as to ensure reliability, and make improvements to achieve targets.

GMTC reviews the internal information security standards on a regular basis, and report to the board of directors the status of information security governance. The Company also conducts risk assessment in compliance with the international standard ISO 27005, analyzing the internal risk according to asset value, weakness, threat and impact, and formulating security improvement measures based on the risk assessment results, in order to improve the overall information security environment.

Vulnerability assessment can identify potential vulnerabilities in servers for timely adjustment and remediation to reduce information security risks. In this year's Vulnerability assessment, GMTC successfully reduced the number of critical and high-risk vulnerabilities from a total of 14 to 7.