We have established an Information Security Management Office to plan and implement information security policies and have assigned resources for the planning and monitoring of an information security system and its management. The Information Security Management Office has been set up by the Security Audit, Security Management, and the Information Security Emergency Response Teams, and information security management is carried out in each business unit.

The Information Security Management Office manages and promotes all the various matters related to information security. The office holds at least one management meeting each year to review the status of improvement of issues found in previous audits, to study the internal and external issues in relation to the information security management system, and to implement them in the management system.

The performance of information security management in 2022 was as follows:

• One server room infrastructure and redundancy drill, including information and communication infrastructure.
• The annual business continuity plan (BCP) drill, covering 15 items, was carried out. This included the redundancy function and backup mechanism of the major information system server(s) as a routine operation.
• Backup data restoration was verified 58 times to ensure the availability of backup data.
• Scanning for internal and external system vulnerabilities was done twice and two social engineering drills were also carried out.
• Six sessions (28 hours) of information security education and training were carried out for information employees and one (2 hour) session was carried out for general employees on the need for information security. A test of information security awareness was also done to improve response and raise the alertness of employees to information security risks.
• There was no report by any units of harmful security incident or external complaint or complaint from the supervisory authorities about information security operations in any Chroma unit in 2022.

Based on the information security implementation model, actual information security management actions are as follows:

1. Network security: Introduction of advanced detection technology to monitor the information network, block malicious cyberattacks, gather intelligence on information security threats, and prevent the spread of computer viruses.
2. Device security:
   • Optimize end-point antivirus and virus scan mechanisms to prevent ransomware and malware.
   • Enhance the detection of malware, Trojan attachments, and phishing mails in the email system.
   • Detect suspicious networking behavior and block malicious and high-risk websites, links or file downloads.
3. Application security:
   • Set security check and assessment standards and improvement targets in the application development process.
   • Continuously enhance the security control mechanisms and patch potential application loopholes.
4. Data protection: Establish a user password management mechanism, network security area quarantine and maintain access control and data security.
5. Personnel account management, education and training: Set password principles and requirements and ensure regular password changes. Arrange education, training, and tests, to determine the awareness of information security in employees.
6. Information security incident performance: The ubiquitous monitoring and collection of security protection operation records, the gathering and analysis of information security intelligence, and the establishment of procedures for reporting and handling information security incidents.

The aim of information security management is the development of a set of assessment criteria to continuously raise the level of information security defense. Three important elements are involved: personnel, technology, and process as well as five important security management technology aspects: identification, protection, detection, response, and recovery. These and other information security plans, processes as well as the maturity of information security, encompass the life cycle of cyber security risk management.