Information Security and Customer Privacy

Information Security Governance and Responsibilities

In 2023, IRON FORCE established the Information Security Task Force, led by the Chief Information Security Officer (CISO). Under this structure, three sub-groups were formed: Information Security Audit Group Information Security Operations Group Incident Response Group

In 2024, IRON FORCE adopted the TISAX (Trusted Information Security Assessment Exchange) certification, aligned with international automotive information security standards. The company formulated the TISAX Procedures Manual as the basis for managing organizational information and communication security.

• The Information Security Audit Group is responsible for planning and executing security audits, monitoring the implementation and improvement of the information security system, and preparing audit reports. It promotes TISAX-ISA self-assessments across departments and compiles the results to ensure continued effectiveness.

• The Information Security Operations Group, composed of department heads assigned by the CISO, is responsible for drafting, reviewing, evaluating, and implementing security policies. It also manages information security data collection, training, technical services, and maintains control mechanisms and security monitoring. It handles the management of security incidents and status.

• The Incident Response Group is responsible for emergency response during disasters, including rescue operations and notification procedures.

Information Security Management Strategy

In the digital and global business environment, information security is crucial for business operations and customer trust. IRON FORCE understands the importance of confidentiality, integrity, and availability of information assets for continuous operation. The company is committed to establishing and maintaining a comprehensive information security management strategy in compliance with relevant regulations to identify and mitigate internal and external information security risks.

Information Security Policy

To ensure confidentiality, integrity, and availability of information assets, IRON FORCE establishes a secure and trusted computerized operating environment. It guarantees the security of company data, systems, equipment, and networks and prevents unauthorized modification or use of data and systems. Department heads regularly review and update the policy to ensure its effectiveness

Specific Management Measures

According to the information security policy, IRON FORCE implements a series of specific management measures to protect information security systematically and standardized.

Information Security Incident Reporting and Response Procedure

IRON FORCE has established a preventive Information Security Incident Reporting and Handling Procedure to minimize the impact of security incidents and promptly address potential issues. In 2024, no major information security incidents causing losses occurred at IRON FORCE.

■ Information Security Incident Reporting and Response Flowchart Information security incident discoverer → Information Security Operation Team assesses incident severity → Emergency Response Team evaluates impact scope (records incident in "Information Security Incident Report Form") → Relevant system or business units execute appropriate response measures → Convenor decides if external statement is required → Determine if related stakeholders need to be notified.

Information Security Training

IRON FORCE conducts annual training to enhance employees’ awareness and expertise in information security and privacy protection. Training includes new employee orientation and TISAX information security awareness courses. In 2024, total training hours for information security-related sessions reached 220 hours.