Information Security
Cybersecurity Policy, Organization, and Objectives
To ensure the company's sustainable operation and business development, we have established cybersecurity management policies and procedures to ensure the confidentiality, integrity, and availability of the company's critical information assets, comply with relevant laws and regulations, and continuously monitor and review management performance. This is to implement the principles of cybersecurity management and business continuity, preventing risks such as leakage, damage, or loss, thereby protecting the rights and interests of the company and its employees.
A "Cybersecurity Management Committee" has been established to review the overall cybersecurity strategy and cybersecurity assessment indicators, supervise the company's cybersecurity management operations, and improve cybersecurity capabilities to reduce cybersecurity threats and risks. We regularly communicate and review the company's cybersecurity management system policies and incident response plans, and report the progress of cybersecurity implementation to the Board of Directors annually.
For more information, please see the Information Security Policy.
 |
| Information Security Committee: Organization Chart |
Cybersecurity Risks and Control
Tongtai establishes risk control measures and practices in accordance with internal IT system controls and listed-company cybersecurity guidelines to ensure the continuous operation of systems.
(1)Security:Cybersecurity Threat Management
| Risk | Control Measures |
|---|---|
|
Hacker intrusion |
Firewall policies, intrusion prevention system(IPS), endpoint protection (EPP/EDR), web security rating, network traffic monitoring, vulnerability assessment (VA), packet inspection (PI), penetration testing (PT), incident analysis and remediation. (0 major security incidents in 2025) |
| Phishing email attacks | Anti-SPAM filtering, email archiving/audit, social engineering drills, SPF/DKIM/DMARC authentication. |
| System vulnerability attacks | Regular system updates, network access control (NAC/NAP) |
| Data security | Unauthorized software prohibition, software license control, MFA, account privilege review, asset management, backup and restore drills. |
| Equipment security | Data center access control, power/AC/fire monitoring, network availability monitoring, USB/BYOD control. |
(2)Confidentiality:Access Control
| Risk | Control Measures |
|---|---|
| Confidential data leakage | Account/password control, file access control, privilege audit, internal/external network segmentation. |
| Data theft by resigned staff | Account deactivation, external storage/BYOD control, remote access control. |
| Equipment failure | Secure disposal procedures. |
(3)Availability:Response and Recovery Mechanisms
| Risk | Control Measures |
|---|---|
| IT system failure | HA infrastructure, system availability monitoring (99.91% in 2025), business continuity plans and drills. |
| Data loss | Disk encryption, disaster recovery drills, offsite backup (3-2-1 rule) |
(4)Awareness and Audit
| Risk | Control Measures |
|---|---|
| Endpoint attack awareness | Security training (88% participation, avg score 96.5), social engineering drills. |
| Policy compliance audit | Internal/external audits, AEO, CPA, supply chain rating, security health checks. |
| Security team operations | Dedicated teams (2 members each), weekly threat analysis (SP-ISAC, TWCERT/CC), vulnerability fixes. |
Cybersecurity KPIs:
- Major security incidents:0
- System integrity issues:0
- Data validity issues:0
- System availability:99.91%
- Policy compliance:0
- Security training score:96.5
Cybersecurity Programs and Resources
The company is located in the Southern Taiwan Science Park (Kaohsiung Luzhu Park) and actively leverages the comprehensive information resources provided within the science park ecosystem. To strengthen its cybersecurity capabilities, the company has voluntarily joined the Science Park Information Sharing and Analysis (SP-ISAC) as the member. Through the SP-ISAC platform, the company obtains the latest cybersecurity threat intelligentce and incident updates on a daily basis via its web-based system, as well as access to cybersecurity training services. This enables park enterprises to establish effective cybersecurity defense channels and enhance incident response capabilities. Furthermore, Tongtai is able to promptly incorporate newly identified threat indicators into its gateway defense database, thereby achieving effective threat mitigation. In addition, the company has applied for membership in the Taiwan Computer Emergency Response Team/ Coordination Center (TWCERT/CC) to obtain professional consultation and coordinated response services for enterprise cybersecurity incidents.
Implementation Programs:
| Program | Technology | Resources |
|---|---|---|
| Zero trust indentity control | Tongtai has implemented a zero trust framework, incorporating multi-factor authentication (MFA) mechanisms to strengthen identity verification for external access and enhance overall access security. |
1. MFA deployment 2. EXternal access control awareness 3. Security budget allocation |
| Smart machine security | Tongtai promotes a "malware-free shipment" inspection program for smart machines to ensure the cybersecurity quality and safeguard the corporate reputation of its intelligent manufacturing products. |
1. Malware-free machine delivery 2. Independent networks 3.Security verification before shipment |
|
Security assessment & Rating |
In accordance with regulatory requirements, Tongtai conducts annual cybersecurity assessments through both internal and external audits. These include system and web vulnerability scanning, network packet inspection, and log analysis using Security Information and Event Management (SIEM), as well as cybersecurity assessments and improvement programs across the supply chain and corporate group. Tongtai successfully obtained certification under ISO 27001:2022 and CNS 27001:2023 in 2025. |
1. Annual scans (VA, PT, SIEM) 2. Supply chain security evaluation |
| Endpoint protection (EDR) | Tongtai has deployed Endpoint Detection and Response (EDR) solutions to protect endpoint information systems, effectively reducing the risks and potential impacts associated with ransomware attacks. |
1. Deploy EDR protection 2. Security monitiring 3. Budget allocation |
Cybersecurity Implementation and Protection
To ensure the sustainability of operations and the continuity of critical business activities, Tongtai Machine & Tool Co., Ltd. conducts annual disaster recovery drills to mitigate the risk of service disruption caused by major incidents impacting critical information systems,. The scope of these drills includes:
- Disaster Recovery Plan: Objectives, scope, schedule, and personnel.
- Disaster Recovery Planning: Execution procedures, workflows, and required resources
- Impact Analysis: Risk managment assessment during the drills.
- Post-Drill Reporting: Review findings and improvement actions.
Through systematic execution and documentation of these drills, Tongtai strengthens its emergency response and recovery capabilities. In the event of cybersecurity incidents, well-defined management procedures are in place to guide employees, thereby minimizing cybersecurity risks.
To futher ensure the security of information systems and enhance defensive capabilities, Tongtai conducts regular annual cybersecurity assessments, including vulnerability scanning and penetration testing. These measures ensure that both information systems and network enviroments comply with established security standards. In reponse to major external cybersecurity threats, Tongtai promptly initates information technology communication and coordination mechanisms (including formal notifications) to facilitate knowledge sharing and incident repsponse. This approach reinforces the security posture of all group entities, enabling their information systems to effectively withstand cyberattacks and contributing to the establishment of a comprehensive cybersecurity defense framework.