Increasing customer value is one of iST’s goals so long as the Company exists. As a professional technical service provider, iST knows well that the provision of accurate and precise data can accelerate the customer’s progress in R&D. Considering that relevant analytical data is the customer’s property and brainchild, the data must be kept in good custody.

To ensure the security of iST’s and the customers’ information assets, the Company has set up a Security Governance Committee to integrate internal resources and perform information security risk assessment as well as developing annual information security plans and inspection standards. We also coordinate relevant resources and activities across units to implement various information security controls, annual education and training on information security for employees, and information security audits. The Security Governance Committee hold meetings biannually to review and resolve on information security and protection guidelines and policies in order to realize the effectiveness of the information security management measures. The committee may also hold a meeting from time to time based on the needs of management of information security risk. The convener of the Security Governance Committee represents the committee and reports to the board of directors every year. iST obtained the certification of ISO/IEC 27001:2013 Information Security Management System (ISMS) in October 2020. The validity of certification expires on Oct. 31, 2025.

The Chief Information Security Officer is the convener of the meeting of security control committee, with Heads of Divisions as ex officio members, Information Security Implementation Team, Emergency Response Team, Information Security Audit Team and Document Management Center. A total of 24 people as listed above.

iST establishes various information security measures through three operating policies – “Establishing a dedicated information security organization,” “Obtaining support from senior management,” “Implementing all-staff participation,” and in compliance with relevant requirements of ISO/IEC 27001 information security management system, such as information security policies, management procedures, and operating standards, in order to safeguard the security and interests of iST and its customers’ information assets.

Information Security Policy Vision	Information Security Objectives
Strengthening knowledge and skills of personnel	Hold educational training on information security to enhance employees’ awareness of information security and strengthen their awareness of relevant responsibilities.
Avoiding information disclosure	Protect information of iST’s business activities, prevent unauthorized access and modification and ensure accuracy and completeness of information.
Conducting routine maintenance works	Conduct internal and external audits periodically to ensure implementation of relevant operations
Ensuring services being available	Ensure a certain level of availability of iST’s key core systems

iST enhances the personnel’s awareness of information security and overall security resilience through“Establishing Multifaceted Information Security Message Communication” and “Implementing Information Security Educational Training”.

iST information security technical measures are planned and implemented in four major aspects to continuously strengthen information security protection capabilities.

To achieve the vision of our cybersecurity policy, we have allocated resources to implement the following cybersecurity protection measures：

Information security protection measures
Strengthening knowledge and skills of personnel	Cyber security training course：New employees are required to complete the education training on information security arranged for new employees. Each employee receives a follow-up training every year. Enhancement of cybersecurity awareness：Electronic newsletters or notices about cyber security are sent from time to time to help employees get to know cyber security practices and understand types of the cyber security attacks occurring externally. 18 newsletters/notices were sent in 2023. Cyber attack drills：Phishing email testing is conducted once a year to verify cyber security awareness of employees. 1 phishing letter test was held in 2023. Respect of intellectual property right：iST prohibits using illegally or cracking portable software. Enhancement of cyber security skills：Cyber security technicians are designated from time to time to participate in external training on cyber security tools or programs on hacker attack and defense technology to enhance cyber security literacy and skills. 10.16 hours per person in 2023.
Avoiding information disclosure	Encryption：Document encryption software is installed to protect confidential information files and reduce the risk of unauthorized disclosure of confidential information. Authorization：Access to the files is controlled by setting levels of authorization based on necessity. Network management：Warnings are issued, and inspection is conducted, for abnormal network traffic. Transmitting data to an external unit must be applied for and approved. Access control：Employees are not allowed to bring in personal storage devices or use personal equipment to take photos or film.USB ports are banned to be used in storage devices.
Conducting routine maintenance works	Audit and improvement：Systems are inspected and improved periodically. New technologies are adopted to enhance data protection. Compliance with requirements of the management system is secured through internal audits conducted periodically and audits conducted by external cyber security certification units. In 2023, an internal audit and an external verification audit were conducted, and the information security task force held a meeting every month to review relevant matters.
Ensuring services being available	Backup management：Important systems are backed up and are renewed or upgraded for cyber security subject to the annual plan. A backup and recovery test was conducted in 2023. Cybersecurity：To enhance protection of internal and external cyber attacks, the firewall policy is adjusted and review, the detection of cyber attacks is activated, the anti-virus system is updated periodically, and bugs are repaired and prevented. Enhanced protection is provided for important machines. Micromolecule firewalls are adopted to enhance lateral protection. iST has joined SP-ISAC Cyber Security Framework to receive significant intelligence to share. In 2023, the vulnerability assessment was conducted and information system vulnerabilities were patched as much as possible.