To protect the information assets and privacy of the Company, customers, and partners, GMTC has successfully completed and passed the ISO 27001:2022 re-evaluation certification process by the end of 2024. The certifying body is AFNOR Asia Ltd. This ensures the continued validity of the ISO 27001:2022 certification. By ensuring the effectiveness of the certification, relevant operations are implemented. It uses the PDCA (Plan-Do-Check-Act) cycle management to track and improve information security goals and effectiveness. GMTC follows ISO 27001:2022 management system guidelines to plan and execute information security policies and enhances employee information security awareness through training courses, creating a robust security network to ensure the protection of confidential information of the Company, customers, and partners, achieving the goals of GMTC's information security and sustainable operations.

ISO 27001 Certification

In addition, in order to obtain external information security intelligence or share relevant information security intelligence, the Company has joined Taiwan Information Security Alliance (CERT/CSIRT Alliance) of Taiwan Cyber Risk Management and Coordination Center (TWCERT/CC). Members strengthen the Company's information security structure by sharing information security intelligence.

"Enhancing Information Security Awareness", "Ensuring Business Continuity"

To ensure that GMTC's various information security management systems are effectively implemented, operated, monitored, and continuously maintained, and to protect the confidentiality, integrity, and availability of the company's critical information systems, the Company has issued this information security policy. This policy provides clear guidelines for employees in their daily work, protecting their rights and interests. It is expected that all employees understand, implement, and maintain this policy to achieve the Company's operational goals.

Enhance Information Security Awareness

Supervise and educate all employees to implement information security in the spirit of self-discipline, autonomy and mutual prosperity, establish the concept of "Information Security is Everyone's Responsibility", and continue to conduct appropriate information security training and dissemination every year to enhance information security awareness. If there is any violation of the relevant regulations on information security, the responsible personnel will be held accountable according to the relevant regulations on personnel rewards and punishments.

Ensure Business Continuity

All employees of the Company thoroughly implement the information security management system to protect various information assets from risks such as data leakage, destruction, or loss due to external threats or improper management by internal personnel. To an acceptable level, we continue to monitor, review and audit the information security management system to ensure the continuous operation of various information systems and achieve the goal of sustainable operation.

As per the requirements of the competent authorities, GMTC has reported to the Board of Directors to set up a dedicated information security supervisor and information security personnel, and completed the submission to the competent authorities, as well as complied with the ISO 27001: 2022 management system to establish an information security working group (a total of 9 members), responsible for formulating internal information security policies, planning and executing information security operations, promoting and implementing information security policies, and regularly reporting to the Board of Directors on the Company's information security governance profile.

The Auditing Office is the unit that supervises information security supervision. It has an audit officer and full-time auditors responsible for supervising the implementation of internal information security. If any defects are found during the audit, the audited unit will be requested to propose relevant improvement plans immediately, and improvement results are regularly tracked to reduce internal information security risks.

Organizational operations - The PDCA (Plan-Do-Check-Act) method is adopted to achieve circular management, so as to ensure reliability, and make improvements to achieve targets.

GMTC reviews the internal information security standards on a regular basis, and report to the board of directors the status of information security governance. The Company also conducts risk assessment in compliance with the international standard ISO 27005, analyzing the internal risk according to asset value, weakness, threat and impact, and formulating security improvement measures based on the risk assessment results, in order to improve the overall cybersecurity environment.

In addition, GMTC continues to conduct vulnerability scanning of its systems. In the 2024 vulnerability scan, a total of 9 low-level, 11 medium-level, 0 high-level, 2 critical, and 114 informational vulnerabilities were identified. For the vulnerabilities that can be patched or corrected, appropriate remediation measures have been implemented. Furthermore, several vulnerabilities are expected to be addressed in conjunction with relevant system upgrades in 2025. At that time, another scan will be conducted to track the improvement status. Through this continuous cycle and the implementation of the Information Security Management System (ISMS), we are committed to strengthening our cybersecurity defense measures to reduce operational risks posed by external threats.

The most common method of social engineering attacks within enterprises is the use of email as a means of infiltration. GMTC collaborated with professional vendors to conduct social engineering simulation exercises, aiming to strengthen employees' information security awareness regarding suspicious emails. Upon completion of the tests, the Company provided targeted information security training focused on social engineering. Employees were reminded to remain vigilant, avoid clicking on emails from unknown sources, and stay alert to potential information security threats in order to prevent such attacks.

Under the current information security policy, no significant information security incidents affecting the company's operations occurred in 2024.