Information Security Management

Information Security Risk Management Framework

EMC adopts the three core principles of information security — Confidentiality, Integrity, and Availability — as the foundation for its Information Security Management Policy. The Company has established comprehensive management systems and standard operating procedures to ensure the continuous operation of the overall business information environment across the EMC Group, comply with relevant laws and regulations, and protect against threats such as improper use, leakage, tampering, theft, or destruction of information assets, thereby minimizing potential harm.
In 2024, EMC introduced the ISO 27001 international information security management system and successfully obtained ISO 27001 certification (valid from December 8, 2024, to December 8, 2027). Through the implementation of ISO 27001, the Company meets customers’ information security requirements, strengthens incident response capabilities, and protects the assets of both the Company and its customers.
On March 10, 2022, EMC officially joined the TWCERT/CC Information Sharing and Analysis Alliance. Through this alliance, the Company receives early warnings of potential attack activities and threat intelligence, enhances information sharing with domestic and international cybersecurity organizations, improves response measures, and reduces cybersecurity risks.
EMC assesses its current cybersecurity posture and targets using the U.S. National Institute of Standards and Technology (NIST) framework and adopts the Cybersecurity Framework (CSF) as the basis for information security policy planning, with the goal of reducing security risks to critical operational infrastructure.
The framework consists of five core functions:

Identify: Information security governance and information asset inventory
Protect: Identity authentication and access control, endpoint protection, network security, data security, and application service protectionDetect: Endpoint and network behavior monitoring, security technology detection and vulnerability management, and utilization of cyber threat intelligence
Respond: Cybersecurity incident reporting and response mechanisms, incident analysis, and corrective action planning

Recover: Backup mechanisms, contingency plans, business continuity planning, and drills

Information Security Mechanisms

To safeguard the Company’s and customers’ trade secrets, data is classified and graded. Access to networks, computers, and personnel is strictly controlled. EMC has established three major information security management objectives:

Information Equipment Security Management

Regularly conduct information asset inventories

Implement a “data not landing on local devices” architecture

Enforce file access rights management

Deploy Security Information and Event Management (SIEM) system for log monitoring

Strengthen authentication with Multi-Factor Authentication (MFA)

Conduct backup and restoration drills every six months

In 2024, four backup and recovery drills were performed across EMC (Taiwan), EMC (Kunshan), Zhongshan EMC, and EMC (Huangshi), including cross-site failover of critical equipment/services and verification of backup data restoration.

Network and Antivirus Management

To defend against cyberattacks and malicious intrusions, EMC has deployed:

Next-generation firewalls

Intrusion prevention systems

Advanced threat protection systems

Endpoint detection and response (EDR)

Industrial control and production line network security monitoring

Host-based deep defense systems to block zero-day exploits

The Company continuously acquires external threat intelligence, integrates it with existing security systems for automated detection and blocking of malicious behavior, performs monthly vulnerability scans and patching, and uses a network cybersecurity risk management system for ongoing risk assessment. External professional security firms are regularly engaged to conduct penetration testing, identify blind spots, and strengthen the overall secure operating environment.

Employee Information Security Education and Training

All new hires receive mandatory information security orientation. Regular awareness campaigns, training sessions, and social engineering (phishing) simulation exercises are conducted to heighten employees’ awareness of customer privacy and confidential information.

Cybersecurity Incident Reporting Process and Incidents

When a cybersecurity incident occurs, employees must follow the EMC Cybersecurity Incident Reporting and Response Procedure to immediately notify the highest-ranking information security officer. The responsible unit classifies and grades the incident and takes appropriate control measures to resolve it in the shortest possible time.

From 2022 to 2024, EMC has not violated any information security regulations and has recorded zero information security incidents.

Specific Management Measures

The Company strictly implements physical and environmental security, network and computer security, system access control, system continuity, and employee security awareness training in accordance with established procedures. The Internal Audit Office serves as the supervisory unit for information security, regularly audits execution status, requires responsible units to propose improvement plans for any deficiencies identified, and tracks improvement progress to reduce internal risks.

To further strengthen information security risk management, the 2024 annual cybersecurity continuous improvement items were reported to the Board of Directors on December 23, 2024.

EMC has a dedicated information security team consisting of one Information Security Officer and one dedicated staff member. Monthly meetings are held to review information security policies and implementation details.