Information Security Policy

Organizational Commitment:

• Full commitment to security from Chief Executive Officer

• Integration of information security into corporate culture

• Continuous improvement and adaptation to latest threats

• Enhancement of security awareness among all employees

Scope of Application:

• WeeMed platform and all related systems

• Employees, contractors, and partner companies

• All physical and logical assets

• Customer data, trade secrets, and intellectual property

Security Objectives:

• Data Confidentiality: Prevention of unauthorized access and zero information leakage

• System Integrity: Prevention of data tampering and accuracy assurance

• Service Availability: Maintenance of 99.5% or higher stable operation

• Regulatory Compliance: Full compliance with international security standards

Security Management Structure:

• CISO (Chief Information Security Officer): Overall corporate security strategy

• Security Committee: Monthly security reviews and policy decisions

• Departmental Security Officers: Daily security operations management

• External Security Advisors: Professional advice and audit support

Security Governance:

• Annual security strategy development and budget allocation

• Quarterly security risk assessments

• Monthly security metrics review and improvement

• Emergency response system for major incidents

Third-party Management:

• Vendor Security Assessment: Mandatory security audits before contracts

• Regular Security Audits: Annual external audits

• Incident Sharing: Industry security information sharing

Identify:

• Asset Management: Inventory and classification of all IT assets (twice yearly)

• Threat Intelligence: Collection and analysis of latest cyber threat information

• Vulnerability Assessment: Regular system vulnerability scans (monthly)

• Risk Assessment: Annual comprehensive risk evaluation

Protect:

• Defense in Depth: Multi-layer deployment of firewalls, IDS/IPS, WAF

• Endpoint Protection: EDR (Endpoint Detection and Response) on all terminals

• Data Classification: Data classification and protection level setting by sensitivity

• Security Education: Monthly security training for all employees

Detect:

• 24/7 SOC: Security Operations Center with 24-hour monitoring

• SIEM: Integrated log analysis and real-time threat detection

• Behavioral Analysis: AI-based abnormal behavior pattern detection

• Threat Hunting: Proactive threat exploration

Respond:

• Incident Response Plan: Step-by-step response procedures

• Emergency Response Team: Initial response within 2 hours

• Communication Plan: Appropriate information sharing with stakeholders

• Containment: Rapid measures to prevent damage escalation

Recover:

• Business Continuity Plan: RTO 4 hours, RPO 1 hour recovery targets

• Backup Strategy: 3 times daily, redundant backups at multiple locations

• Recovery Procedures: Phased system recovery and service resumption

• Lesson Sharing: Post-incident improvement strategy development and deployment

Identity Management:

• Single Sign-On (SSO): Centralized management through unified authentication infrastructure

• Multi-Factor Authentication (MFA): Mandatory for all employees and critical system access

• Privileged Account Management (PAM): Strict management of administrator privileges

• Access Reviews: Quarterly privilege inventory and removal of unnecessary privileges

Access Control Principles:

• Principle of Least Privilege: Grant only minimum privileges necessary for business

• Separation of Duties: Multiple-person check system for critical operations

• Time Restrictions: Automatic expiration of temporary privileges

• Geographic Restrictions: Access only from authorized locations

Authentication and Authorization Standards:

• Password Requirements: Minimum 12 characters, complex characters, 90-day updates

• Biometric Authentication: Fingerprint and facial recognition for critical systems

• Device Authentication: Access prohibited from non-managed terminals

• Behavioral Analysis: Detection of deviations from normal behavior patterns

Encryption Standards:

• Transmission Encryption: TLS 1.3, Perfect Forward Secrecy support

• Storage Encryption: AES-256, multi-layer encryption with key separation

• Database Encryption: Transparent Data Encryption (TDE) implementation

• End-to-End Encryption: High-confidentiality data communications

Key Management System:

• Hardware Security Module (HSM) key protection

• Key Lifecycle Management: Generation, distribution, rotation, disposal

• Distributed Key Management: Elimination of single points of failure

• Audit Logs: Recording and auditing of all key operations

Data Classification and Protection:

• Public Information: No special protection required

• Internal Information: Access control and encryption

• Confidential Information: Multi-factor authentication and enhanced encryption

• Top Secret Information: Physical separation and highest level protection

Network Architecture:

• Zero Trust Architecture: Verification and encryption of all communications

• Network Segmentation: Logical separation by function

• DMZ Design: Isolation and protection of public services

• VPN: Secure connections for remote access

System Hardening:

• OS Hardening: Removal of unnecessary services and security configuration

• Patch Management: Monthly regular patch application and zero-day response

• Anti-malware: Real-time protection and regular scanning

• Configuration Management: Enforcement of security baseline configurations

Cloud Security:

• AWS/Azure Security Best Practices compliance

• Cloud Security Posture Management (CSPM)

• Container Security: Docker/Kubernetes hardening

• Serverless Security: Function-level protection

24/7 Security Monitoring:

• Security Operations Center (SOC): 24/7/365 monitoring system

• SIEM/SOAR: Integrated log analysis and automated response

• Threat Intelligence: Utilization of latest threat information

• Real-time Alerts: Immediate notification of critical events

Incident Response Procedures:

• Stage 1 (Detection/Reporting): Initial response within 15 minutes

• Stage 2 (Analysis/Assessment): Impact scope identification within 1 hour

• Stage 3 (Containment): Damage escalation prevention within 2 hours

• Stage 4 (Eradication/Recovery): System recovery within 4 hours

• Stage 5 (Post-incident): Authority reporting and customer notification within 72 hours

Incident Classification:

• Category 1 (Critical): Business shutdown level

• Category 2 (High): Critical data breach

• Category 3 (Medium): Limited impact

• Category 4 (Low): Minor anomalies

Business Continuity Plan (BCP):

• RTO (Recovery Time Objective): Within 4 hours

• RPO (Recovery Point Objective): Within 1 hour

• Alternative Site: Located 100km+ from primary site

• Regular Drills: Quarterly disaster recovery exercises

Backup Strategy:

• 3-2-1 Rule: 3 copies, 2 different media, 1 offsite

• Automated Backup: 3 times daily automated backups

• Encrypted Backup: AES-256 encryption for all backups

• Recovery Testing: Monthly backup recovery tests

High Availability Design:

• Redundancy: Elimination of single points of failure

• Load Balancing: Load distribution across multiple servers

• Automatic Failover: Automatic switching during failures

• Geographic Distribution: Operations across multiple data centers

Vendor Management:

• Security Assessment: Mandatory security audits before contracts

• SLA Requirements: Specific security requirements

• Regular Audits: Annual external audits and penetration testing

• Incident Sharing: Immediate sharing obligation for security events

Cloud Provider Management:

• Shared Responsibility Model: Clear definition of responsibility boundaries

• Configuration Management: Security configuration management of cloud resources

• Audit Trail: Logging of all cloud operations

• Data Sovereignty: Management of data storage locations and legal jurisdiction

Partner Company Collaboration:

• Unified Security Standards: Setting common security requirements

• Information Sharing: Sharing threat information and best practices

• Joint Training: Joint security training with partner companies

• Incident Cooperation: Mutual support during incident response

Applicable Regulations:

• Taiwan: Personal Data Protection Act, Cybersecurity Management Act

• Japan: Personal Information Protection Act, Cybersecurity Basic Act

• EU: GDPR (General Data Protection Regulation)

• US: CCPA (California Consumer Privacy Act)

Certification and Standards Compliance:

• ISO 27001: Information Security Management System

• SOC 2 Type II: Service Organization Control Audit

• NIST Cybersecurity Framework: Cybersecurity Framework

• GDPR Article 32: Technical and Organizational Security Measures

Auditing and Assessment:

• Annual External Audit: Comprehensive audit by independent audit firms

• Quarterly Internal Audit: Regular audits by internal audit department

• Penetration Testing: Twice-yearly penetration tests

• Vulnerability Assessment: Monthly automated vulnerability scans

Reporting and Improvement:

• Management Reporting: Monthly security dashboard

• Board Reporting: Quarterly security risk reports

• Authority Reporting: 72-hour reporting for major incidents

• Continuous Improvement: Development and implementation of improvement plans based on audit results

Employee Education Programs:

• New Employee Training: Mandatory 8-hour security education upon joining

• Annual Refresher Training: Latest threats and security trends (4 hours)

• Role-specific Professional Training: Specialized security education by job type

• Phishing Training: Monthly simulated phishing email exercises

Awareness Activities:

• Security Newsletter: Monthly security information distribution

• Security Posters: Reminders through office displays

• Security Events: Annual cybersecurity awareness week

• Reward System: Recognition system for security improvement proposals

Measurement and Evaluation:

• Comprehension Tests: Mandatory understanding verification after education

• Behavioral Indicators: Security incident occurrence rates

• Awareness Surveys: Annual security awareness questionnaires

• Improvement Plans: Education program improvements based on measurement results

Security Contact Information:

• Security Dedicated Hotline: security@weemed.ai

• Emergency Contact: +886-4-23016388 (24-hour support)

• Vulnerability Reporting: vulnerability@weemed.ai

• Privacy Inquiries: privacy@weemed.ai

Complaint and Inquiry Handling:

• Receipt Confirmation: Receipt confirmation contact within 24 hours

• Initial Response: Initial investigation results response within 3 business days

• Final Response: Final investigation results notification within 15 business days

• Follow-up: Satisfaction confirmation 30 days after resolution

Escalation:

• Stage 1: Team Manager

• Stage 2: Chief Information Security Officer (CISO)

• Stage 3: Chief Technology Officer (CTO)

• Final Stage: Chief Executive Officer

External Consultation Organizations:

• Taiwan: Executive Yuan Department of Cyber Security

• Japan: National Center of Incident Readiness and Strategy for Cybersecurity (NISC)

• International: FIRST (Forum of Incident Response and Security Teams)