info banner

Information Security Policy

ENLIGHT CORPORATION (hereinafter referred to as “the Company”) has established this Information Security Policy to ensure compliance by all employees, facilitate the smooth operation of user-related business processes, and secure all information assets, thereby achieving the Company’s information security objectives.

 

 

Scope

 

This policy applies to all permanent employees, contract staff, dispatched personnel, and other personnel employed by the Company, as well as visitors and external vendors.

 

 

Definitions

 

1. Information Security

Ensuring the confidentiality, integrity, and availability of information so that it can be securely, accurately, appropriately, and reliably utilized for the planning, execution, management, and other activities supporting the Company’s operational goals.

 

2. Information Security Management System (ISMS)

A part of the overall management system based on a risk-oriented approach to plan, establish, implement, operate, monitor, review, maintain, and improve information security.

 

3. Confidentiality

Ensuring that only authorized users can access information.

 

4. Integrity

Safeguarding the accuracy and completeness of information and information processing methods.

 

5. Availability

Ensuring authorized users have timely access to information and associated assets when required.

 

 

Information Security Management System (ISMS)

 

Overview

To demonstrate the commitment to information security, the Company ensures appropriate protection for all information and information systems. The ISMS is established, documented, implemented, and maintained in compliance with the ISO/IEC 27001:2022 standard and is subject to continuous improvement.

 

Objectives

  1. Implement appropriate safeguards to protect and prevent risks to stored or transmitted information.
  2. Minimize impacts of incidents such as data corruption, theft, leakage, tampering, abuse, and infringement.
  3. Continuously enhance the confidentiality, integrity, and availability of all information service systems.

 

 

Operational Mechanism

 

The Company adopts the “Plan-Do-Check-Act” (PDCA) cycle, following the ISO/IEC 27001:2022 standard, to establish and implement the ISMS, ensuring its effective operation and ongoing enhancement.

  1. Plan: Establish ISMS aligned with corporate strategy, assess potential threats, and develop control mechanisms.
  2. Do: Implement or amend control measures based on risk assessments.
  3. Check: Monitor, evaluate, and audit ISMS operations to ensure effectiveness.
  4. Act: Execute corrective actions based on audit findings to improve and maintain ISMS operations.

 

 

Management Responsibility

 

An Information Security Management Organization shall be established to:

  • Approve, promote, and supervise the Information Security Policy.
  • Allocate responsibilities and coordinate information security efforts.
  • Ensure alignment with the policy, objectives, and legal requirements.
  • Provide adequate resources for implementing, operating, and improving ISMS.
  • Formulate risk acceptance criteria and manage risk levels.
  • Conduct audits, risk assessments, and periodic tests.
  • Evaluate and supervise security incidents and required communication measures.
  • Deliver annual information security training and assess its effectiveness. 

 

 

Review and Audit

 

Management reviews shall be conducted biannually to evaluate the adequacy and effectiveness of the ISMS, documenting and maintaining records of all findings. Internal audits shall assess the compliance of objectives, controls, and procedures with standards, regulations, and organizational needs.

 

 

Continuous Improvement

 

The Company ensures ongoing enhancement of the ISMS through internal and external audit results, analysis of incidents, corrective actions, and management reviews.

 

 

Document and Record Management

 

All documents related to ISMS are controlled and updated according to established procedures. Records generated from ISMS operations are maintained securely with designated custodians for tracking system performance and ensuring effective operations.

 

 

Compliance

 

All personnel must comply with this policy. Violations may result in disciplinary action, including legal consequences under applicable laws, such as the Trade Secrets Act, Copyright Act, or Personal Data Protection Act.