Information Security Policy

Objectives

To strengthen Evergreen Marine Corp.'s (hereafter referred to as the company) information security management to ensure the security of data, information systems, financial equipment and networks, this policy is formulated to specify the company's information security management organization, staff education and training, computer hardware/software and network and physical security guidelines. It is applicable to all colleagues, to assist users to carry out their operations without interruption, and to ensure the security of information media to achieve the company's information security goals which are listed below:

1. To maintain the continuous operation of the information system.
2. To ensure the confidentiality, integrity and availability of information.
3. To prevent the inappropriate and/or illegal use of information.
4. To avoid incidents caused by human error.
5. To prevent hackers and viruses etc. from infiltrating, infecting and causing damage.
6. To maintain the security of the physical environment.

The scope of the company's information security management includes:

1. Information security organization and responsibilities.
2. Information security documents and records management.
3. Information security index management.
4. Project information security management.
5. Personnel safety management.
6. Information asset and risk assessment management.
7. Information equipment authorization and protection management.
8. Security area management.
9. Network and communication management.
10. System development and maintenance management.
11. Third party service management.
12. Information security incident management.
13. Business continuity management.
14. Information security internal audit.
15. ISMS Statement of Applicability.
16. Implementation of information security management system.
17. Office information operation management.
18. IoT devices security management and control.
19. Application system authority management.
20. Key and certificate management.

Information Security Management Strategy and Framework

1. Information Security Management Committee

   The information security management committee is set up to implement the company's information security management system, to formulate information security governance development strategies and directions, to protect the confidentiality, integrity, and availability of information assets, to ensure smooth business operations and uninterrupted information services.

2. Information Security Management Committee Structure
   • Information Security Management Committee: The company's information security management policy organization.
   • Internal Control and Audit Team: review the implementation of information security in line with the organization's policies and procedures, to supervise audits and to implement corrective, preventive and improvement measures.
   • Information Security Management Team: responsible for the planning, establishment, implementation, maintenance, review and continuous improvement of the information security management system, and reporting information security related issues to the information security management committee.
   • Human Resources Team: assist the information security management committee to implement the planning and management of the company's human resources security system.
   • Information Security Working Team (contact person of each dept.): assist the information security management team to coordinate matters of information security management.
3. The Information Security Management System

   The company establishes, records, implements and maintains an information security management system in accordance with the requirements of the ISO/IEC 27001:2013 standard, continuously improving the effectiveness of the system. The company adopts a "Plan-Do-Check-Act" (PDCA) cycle:

   • Planning and establishment (Plan): According to the company's overall strategy and goals, establishing an information security management organization to control potential threats and vulnerabilities, to plan risk assessment, to design a control mechanism to establish the information security management system.
   • Implementation and operation (Do): Based on the results of the Plan, establish or revise the proper control mechanism.
   • Supervision and audit (Check): Supervise the implementation of various operations of the information security management system, and evaluate and audit its effectiveness.
   • Maintenance and improvement (Act): According to the results and suggestions of supervision and audit, implement corrective measures, improve and implement the proper control mechanism to maintain the operation of the information security management system.

Information security protection and specific management

The company's information security control measures are listed below:

1. The information security management committee is set up to implement the company's information security management system, to formulate information security governance development strategies and directions, to protect the confidentiality, integrity, and availability of information assets, to ensure smooth business operations and uninterrupted information services.
2. Through the implementation of the information security management system, to declare the determination of top management to support information security, reduce the impact of information security incidents, and continue to operate and improve the information security management system while protecting the rights and interests of the company and customers.
3. Establish procedures for creating, amending, abolishing, announcing, storing and destroying information security documents to ensure that they are updated in a timely manner.
4. Security control mechanisms should be considered at the initial stage of system development.
5. Business continuity plan based on business needs, and conduct regular test drills to maintain its applicability.
6. Employees to be granted only necessary authority and relevant information to complete their work duties.
7. Employees who observe or suspect a security breach, weakness or violation of security policies or procedures must report them in a timely manner.
8. Information security procedures should be planned in advance of any project which includes issues relating to information security.
9. Implement information security-related training and awareness every year.
10. Regularly conduct information asset classification and risk assessment.
11. Regularly perform information security self-inspection to maintain the effective operation of the information security management system and the implementation of control procedures.
12. Implement network and communication security management.

Invest resources in information and Network communication security management

1. Software and hardware equipment

   The company has invested in high-standard software and hardware equipment, has a system automatic information security monitoring and notification, can fully grasp the internal/external network traffic, and immediately intervene by special personnel to prevent emergency blocking and preventive treatment.

2. Information security management committee organization and meetings

   The organization has 62 personnel and holds a management review meeting regularly every year.

3. Education and training

   Every year, the company conducts an online (E-learning) course of "Information Security Protection Education and Training" for all employees and related companies, which advises the precautions to take when using information equipment, receiving and sending e-mails and public materials. Colleagues must pass the online information security test to demonstrate that they have a complete concept of information security protection. A total of 2,444 colleagues will complete the training in 2024.

   In addition, a special course on "Global Information System Integration Planning" was launched for expatriates, including information security and computer room management, issues related to system authority authorization, and an introduction to the local computer network connection structure.

4. Social engineering drill

   Through information security education and training, we will improve colleagues' security awareness of risky emails, send simulated malicious emails to all employees in the company for testing, and strengthen the information security training for colleagues who have failed, which will be completed in 2024.

Major information security incidents

The company had no information security incidents that resulted in losses in 2024.

Obtained ISO27001 certificate

The company has obtained ISO 27001 information security management system certification on December 9, 2022, and the certificate is valid until October 31, 2025.