Information and Cybersecurity Risk and Management

To ensure the foundation for the company’s sustainable operation and effectively manage enterprise risk governance, GOODWAY continuously strengthens its information security management to safeguard the confidentiality, integrity, and availability of information, protecting it from intentional or accidental internal and external threats. GOODWAY has implemented and obtained ISO 27001:2022 certification in 2025. According to its management policies, the framework is divided into technology application and personnel training. The management details are outlined as follows:

Policies and Regulations

• In 2024, GOODWAY established the Information Security Committee to oversee the formulation, implementation, review, and improvement (PDCA) of the company’s information security and protection strategies. Supervision and review are conducted by the General Manager, Executive Vice General Manager, and Chief Information Security Officer (CISO). The Information Department is designated as the responsible unit, with one Information Supervisor and several professional IT personnel appointed.

• To ensure the security, information protection, and confidentiality of corporate customers, supplier networks, and internal digital data, controls are implemented across all GOODWAY business units. Additionally, internal audits and performance reporting are conducted monthly to maintain effective oversight.

• The company establishes information security management policies to regulate the operational behavior of personnel across internal departments. These policies are reviewed every six months to ensure alignment with changes in the operational environment and are adjusted as needed.

• Accept supervision and guidance from the Audit Office, communicate upward through the governance framework to address organizational strategic requirements, and continuously promote and implement information security policies.

Technology Application

To guard against various external cybersecurity threats, GOODWAY has actively implemented and optimized security defenses in recent years. The company has joined information-sharing centers such as the TWISAC Cybersecurity Alliance and the SP-ISAC Science Park Information Sharing and Analysis Center to obtain the latest threat intelligence. Additionally, GOODWAY has established an external emergency contact list, including key organizations such as the Central Taiwan Science Park Administration, Taichung City Fire Department, Taichung City Police Department, and Cheng Ching Hospital, to serve as first-line reporting agencies for information and physical security risks.

• External threats

  To prevent external hacker intrusions and computer virus threats, in addition to implementing firewalls, antivirus, and anti-ransomware systems, we also engage professional cybersecurity consultants to conduct security assessments and vulnerability scans to identify and remediate potential system weaknesses and flaws.

• Access management

  Access to internal systems and data is managed based on a zoned and layered control principle. Personnel cannot use unauthorized system functions or access data without permission. Following access management policies, procedures for access request and revocation are established, and annual access audits are conducted to ensure proper and accurate permission allocation.

• Access control

  To strengthen system access control mechanisms, in addition to managing systems with multi-layered network architecture for different purposes and restricting external access methods, endpoint management, network behavior monitoring, and alert systems are deployed to record user activities, automatically detect anomalies, and notify administrators for prompt action.

• System availability

  To ensure the stability of internal system operations and minimize downtime during system failures, backup mechanisms are established for all information services. Critical hardware and network facilities are also equipped with redundancy to prevent service interruptions.

Personnel Training

• Based on the current status of cybersecurity implementation and incident developments, education and cybersecurity awareness programs are conducted to enhance internal staff’s cybersecurity knowledge and vigilance.

• Based on the current state of cybersecurity implementation and incident trends, education and awareness programs are conducted to enhance internal staff’s cybersecurity knowledge and vigilance.

Resource Allocation

Information security is a top priority for enterprise digitalization. In response, GOODWAY allocates corresponding resources as outlined below:

• Dedicated Personnel Allocation

  In 2024, the Information Security Committee was established, led by the General Manager, Executive Vice General Manager, and Chief Information Security Officer (CISO). The committee appoints a dedicated IT supervisor, a management representative, an Information Security Task Force, and an Internal Audit Team, all responsible for developing corporate cybersecurity plans and strengthening digital data security.

• Risk Assessment and Improvement

  An annual risk assessment of corporate assets is conducted to set information security objectives. Regular risk reviews are performed, and improvement measures and countermeasures are established based on assessment results. Additionally, the company participates in information defense alliances to maintain timely internal and external asset protection and cybersecurity intelligence.

• Third-Party Certification Passed

  In 2025, the company obtained ISO 27001 information security certification and commissioned a third-party verification agency to conduct vulnerability scans.

• Information Asset Management and Maintenance

  Core systems have annual maintenance agreements with vendors, backup mechanisms are established for data servers, and asset maintenance is conducted according to risk assessment classifications.

• Personnel Awareness Enhancement

  All employees undergo annual cybersecurity training, core personnel complete 12 hours of cybersecurity education along with comprehensive advanced exercises, and company-wide social engineering drills are conducted irregularly each year with a passing score set at 80.

• Information Security Notice

  Over 10 information security notices are issued annually to communicate the importance of cybersecurity and raise individual security awareness.

• Performance Summary

  Monthly cybersecurity performance summaries are provided to department supervisors, strategic reviews and adjustments are conducted semiannually, and annual reports on cybersecurity performance and budget reviews are presented to the Board of Directors.