To reinforce information security management, Fengxiang Group has established a dedicated Information Security Unit, comprising one Chief Information Security Officer (CISO) and two information security personnel. This unit is responsible for overseeing the Group’s overall information security operations. The scope of management encompasses operational processes, compliance with applicable information security laws and regulations, personnel awareness training, automated production processes, personal data protection, customer-specific security requirements, and the mitigation of risks associated with emerging technologies.
In alignment with the Taiwan Cyber Security Management Act and the Financial Supervisory Commission’s Guidelines for Cyber Security Management of Listed and OTC Companies, the Company conducts regular internal information security inspections to ensure the effectiveness and maturity of its cybersecurity practices. The results of these inspections are compiled and reported to senior management in January of each year, summarizing the implementation status for the preceding year.
As of the end of 2024, the Company has not received any complaints regarding violations of customer privacy or loss of customer data.
Information Security Policy
| Purpose | ● To ensure the security of data, systems, equipment, and network communications, our company has established an information security management framework. This framework aims to effectively reduce the risks associated with human errors, intentional acts, or natural disasters that may lead to the theft, improper use, leakage, alteration, or damage of information assets. The primary goal is to uphold the confidentiality, integrity, and availability of information. |
| Range | ● The scope of our company’s information security management encompasses various aspects, including all subsidiaries, branches, personnel involved in information operations, management systems, applications, data, documents, media storage, hardware equipment, and network facilities. |
| Content | ● Establish a dedicated information security unit within the organization to drive information security initiatives. ● Evaluate personnel appointments, job assignments, and establish controls and manpower backup systems for personnel leaving, on leave, suspended, or transferred. 3. Conduct regular information security education and training to enhance staff awareness and competence. ● Establish a system for the safekeeping of information assets, efficiently allocating, utilizing, and managing information resources. ● Assess the security levels of information assets and grant appropriate access permissions to relevant personnel. ● Consider anti-damage and anti-theft design for buildings, and reinforce control over important facilities and specific areas. ● Enhance computer network defense technology to timely block external intrusion and damage. ● Establish control systems and maintain comprehensive records for computer system additions or changes to facilitate auditing. ● Develop an information emergency response mechanism and a disaster recovery and business continuity exercise plan, conducting regular drills and documenting test results. ● Adhere to operational specifications from supervisory authorities and timely update relevant information regulations to comply with legal requirements. |
The Company’s Information Security Policy applies to both the Company and its domestic and overseas subsidiaries. It is guided by the following four principles:
- Compliance with regulatory authorities’ operational guidelines and timely updates to relevant information regulations to ensure legal conformity.
- Establishment of a system for the safekeeping, allocation, utilization, and management of information assets
- Protection of the confidentiality, integrity, and availability of both corporate and customer information.
- Enhancement of computer network defense technologies to prevent external intrusion and damage, thereby ensuring business continuity. The Company’s information security strategy is anchored in three main pillars—anti-virus, anti-hacking, and anti-data leakage—and is supported by internal control systems such as firewalls, antivirus software, and endpoint protection tools. These measures are aimed at strengthening the Company’s ability to defend against external attacks and protect internal confidential information.
The Company has implemented a comprehensive Information Security Management System (ISMS) to mitigate information security risks from the perspectives of systems, technologies, and procedures. The ISMS framework is designed to meet customer security requirements and continuously improve through the Plan-Do-Check-Act (PDCA) cycle.
In the “Plan” phase, the Company places emphasis on information security risk management. To strengthen its information security posture, the Company implemented the ISO 27001 Information Security Management System (ISMS) certification in 2024. This ensures that all information systems operate under standardized management protocols, thereby reducing security vulnerabilities and anomalies caused by human error. Additionally, through annual internal audits, the Company continues to make improvements to its information security practices. Following the successful attainment of ISO 27001 certification, the Company has committed further resources to pursue TISAX (Trusted Information Security Assessment Exchange) certification. TISAX addresses information security requirements specific to the automotive industry and is a security standard optimized to meet the precise needs of that sector. More information on the TISAX certification is available at the official website: https://enx.com/en-US/TISAX/.
In the “Do” phase, the Company has built a multi-layered information security defense framework, continuously adopting new risk control technologies. Through intelligent and automated mechanisms, the efficiency of detecting and responding to various information security incidents is significantly improved. The Company has also enhanced its processes for safeguarding information and network security, ensuring the protection of critical corporate assets.
In the “Check” phase, the Company regularly monitors the effectiveness of its information security management indicators. The ISO 27001 management system is subject to annual third-party reassessment audits. Furthermore, for all new information systems, vulnerability scans are required from vendors prior to system launch, ensuring a consistent level of security defense.
In the “Act” phase, the Company reviews outcomes and drives continuous improvement. Disciplinary measures are applied in accordance with internal regulations in cases where employees or contractors violate information security policies. Additionally, ongoing information security training is provided to all personnel to raise awareness and reinforce a culture of cybersecurity.
Information Security Risk Management Framework and Execution Strategy
Information Security Risk Management Framework
In 2024, the Company established the “Information Security Management Committee” to oversee the planning and management of information security operations. This committee is responsible for the development and implementation of the Information Security Management System (ISMS), as well as the formulation, execution, risk management, and compliance auditing of information security-related policies. The Information Security Management Committee is chaired by the Company’s General Manager, with department heads from all major business units—including Finance, Human Resources, Research & Development, Engineering, and Production—serving as committee members (as illustrated in the diagram below). In parallel, the Company also established a dedicated Information Security Office, which is responsible for planning both information and physical security, conducting internal audits, and leading the overall operations of the committee.
The Committee conducts an annual management review meeting to evaluate the results of information security risk analyses and assess corresponding control measures. This ensures the continued suitability, adequacy, and effectiveness of the ISMS. The Committee also reports annually to the Board of Directors on the effectiveness of information security management and the strategic direction of cybersecurity initiatives.
In addition, the Company’s information security management framework is based on the Cybersecurity Framework (CSF) developed by the U.S. National Institute of Standards and Technology (NIST).
This framework provides a comprehensive and effective structure for managing cybersecurity risks. The Company has adopted NIST CSF Version 2.0, which includes six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function is supported by a set of information security control categories, ensuring that the Company possesses a robust capability to address cybersecurity threats. A summary of the Company’s corresponding control measures is provided below:
- Govern: Establishes Group-wide information security risk management policies to ensure that security controls comply with regulatory standards. It also defines clear guidelines to govern internal operations related to information security across the organization.
- Identify: Involves the identification of information assets, assessment of security risks, and analysis of the Company’s operating environment to ensure a deep understanding of potential cybersecurity challenges.
- Protect: Implements appropriate policies, procedures, and technical controls to safeguard information assets. The objective is to maximize security effectiveness within the constraints of available resources and reduce potential risks to critical information.
- Detect: Establishes appropriate monitoring systems to detect potential cybersecurity events at an early stage, enabling prompt and effective response.
- Respond: Maintains a dedicated incident response team and mechanism to address security incidents swiftly, minimizing potential impact and damage.
- Recover: Develops a comprehensive Business Continuity and Disaster Recovery Plan (BCP/DRP) to ensure that operations can resume as quickly as possible following a security event or disruption.
Information Security Risk Management Execution Strategy
The Company’s execution strategy for information security risk management is built upon three lines of defense to ensure comprehensive cybersecurity protection:
First Line of Defense: Information and Internal Units
At this level, the Information Unit and internal units share the responsibility for executing information security measures. Their duties include ensuring the comprehensive implementation of security policies and the correct execution of information security operations.
Second Line of Defense: Information Security Unit
The Information Security Unit is responsible for this level. Its duties include developing and managing information security procedures and supervising the implementation of the overall cybersecurity risk management framework. This line ensures that information security procedures are appropriately designed and managed, while also monitoring and promoting the effective execution of cybersecurity risk management.
Third Line of Defense: Audit Unit
The Audit Unit is responsible for this level. Its duties include verifying the effectiveness of cybersecurity risk controls and auditing the compliance of internal information security measures with established standards. This line ensures the effectiveness of cybersecurity risk controls while conducting audits of internal security practices to ensure compliance and efficiency.
Specific Management Plan
To achieve the information security policy and objectives and establish comprehensive cybersecurity protection, the Company implements the following management initiatives:
- Enhancement of Cybersecurity Protection Capacity: In addition to conducting vulnerability assessments of cybersecurity systems, the Company collaborates with the Taiwan Computer Network Incident Coordination Center (TWNIC) to verify relevant security information and vulnerabilities. Based on these findings, we reinforce and repair existing systems to mitigate cybersecurity risks. Furthermore, a Security Incident Response Plan has been established. This plan includes impact and loss assessments based on the severity of the incident, followed by appropriate response actions.
- Improvement of Information Security Management Procedures: The Company has established an information security framework based on the National Institute of Standards and Technology (NIST) standards, with corresponding metrics in place. Employees are required to comply with information security policies and follow Standard Operating Procedures (SOPs). Additionally, continuous improvement is ensured through a Plan-Do-Check-Act (PDCA) cycle.
- Enhancement of Email and Endpoint Security: The Company has implemented Microsoft Defender for Office 365 to counter email threats such as fraud, spam, phishing, and malware. In addition, the Company has upgraded endpoint antivirus programs and installed malware detection tools to enhance the overall security defenses of client systems.
- Adoption of International Information Security Certifications: The Company has achieved ISO 27001 Information Security Certification, which serves as the foundation for managing risks and as a benchmark for performance evaluation. The Company has also established a corresponding Information Security Management Committee to promote standardized operations and reduce operational risks.
- Training and Awareness Implementation: The Company conducts company-wide information security training and periodic social engineering phishing email tests to enhance cybersecurity awareness. This ensures that information security practices are embedded in the operations of both management and every employee.
Employee Information Security Training
In November 2024, VPIC1 in Vietnam conducted ISO 27001:2022 information security orientation training for newly hired Vietnamese employees across various departments. Approximately 30 participants attended the two training sessions in total.
On December 11, 2023, VPIC1 in Vietnam conducted ISO 27001:2022 Information Security Management System education and training for Vietnamese staff responsible for information security in various departments. A total of 59 personnel participated.
Participation in External Cybersecurity and Threat Intelligence Alliances
Since November and December 2023, the Company has successively joined cybersecurity and threat intelligence organizations in Taiwan and Vietnam. The Company now regularly receives external cybersecurity intelligence, including information on product vulnerabilities, hacker group attack activities, and cyberattack detections within the Group’s domain. By leveraging the strength of these external alliances, the Company enhances its sources of threat intelligence, enabling cybersecurity personnel to more comprehensively protect the Group’s information assets, network security, production safety, and overall information security.
Regular Distribution of Cybersecurity Monthly Bulletin
At the beginning of each month, the Company distributes a Cybersecurity Monthly Bulletin to senior management, managers, and deputy managers. The bulletin covers topics such as recent cybersecurity news, noteworthy issues or developments, and general cybersecurity knowledge, with the goal of enhancing cybersecurity awareness among the Group’s leadership and management personnel.
Verification of TISAX – Cybersecurity Assessment for the Automotive Industry
The Company plans to launch a TISAX (Trusted Information Security Assessment Exchange) evaluation project in 2024, aligning with the growing cybersecurity expectations for automotive industry suppliers. To meet customer requirements for Assessment Level 2 (AL2), the Company will expand upon its existing ISO 27001:2022 management system to include personal data protection and GDPR compliance. The Company aims to obtain TISAX certification by 2025.
Information Security Management System and Certification
To ensure the establishment of robust information security practices, the Company implemented a comprehensive Information Security Management System (ISMS) and initiated ISO/IEC 27001:2022 in November 2023. As part of the implementation, the Company developed 24 new information security policies and procedures, along with 54 control forms. The system was fully established by mid-2024, and after passing the audit by an independent third-party certification body (TÜV), the Company obtained the ISO 27001 certification in August 2024.
