Corporate Governance on Performance

Information Security

To safeguard the integrity of its information assets and ensure business continuity, HIWIN has established a robust foundation for information security governance through the formal publication of its Information Security Policy and Objectives. This framework is designed to protect the interests of the company, customers, suppliers, and employees, while ensuring compliance with regulatory requirements and addressing stakeholder expectations. The policy emphasizes the core principles of confidentiality, integrity, and availability (the CIA triad) of information systems and data, aligning with global best practices in cybersecurity and digital risk management.

At the governance level, HIWIN has established the Information Security Committee, chaired by a Board Member, the President, to oversee the implementation, effectiveness, and continuous improvement of the Information Security Management System (ISMS). The Information Security Representative submits an annual governance report to the Board of Directors, ensuring boardlevel oversight and accountability.

To institutionalize information security across the organization, dedicated task forces operate under the Committee’s structure. Each department appoints an Information Security Officer (ISO), typically a managerial-level supervisor, to promote cross-functional collaboration and embed a culture of shared responsibility. This decentralized yet coordinated approach ensures that information security is integrated into daily operations at all levels.

HIWIN has consistently demonstrated a strong commitment to establishing a comprehensive Information Security Management System (ISMS), supported by the implementation of various system management tools. To ensure the effectiveness of its ISMS and alignment with international standards, HIWIN successfully obtained ISO/IEC 27001 certification in March 2023. The certification scope encompasses personnel, systems, facilities, and data centers involved in core operations. In March 2024, HIWIN once again passed an external audit conducted by an accredited certification body, reaffirming the continued effectiveness and robust operation of its ISMS.

Recognizing that human behavior is a critical component of cybersecurity, HIWIN implements a multi-tiered training and awareness program to cultivate a strong securityconscious organizational culture. These initiatives aim to instill secure practices among all system users and equip technical personnel with advanced skills. Key Initiatives to Strengthen Security Awareness:

To ensure prompt detection, assessment, and resolution of potential security incidents, HIWIN has established a formal Incident Reporting and Response Framework. All employees and system administrators are required to report suspicious activities immediately.

As most core information application systems are self-developed, continuous security enhancements are required to achieve organizational security goals and strategies. In 2024, we focused on eight key areas-identity tracking, system permission control, technical risk mitigation, software development protection, data security, physical document protection, authentication mechanism improvement, and data integration-and completed the design and deployment of 186 application security improvement items.