Ethical Corporate Management

誠信透明 Integrity and Transparency
誠信透明
Integrity and Transparency
信守承諾的企業
A Promise-Keeping Company

本公司為恪遵法令及謹守道德規範之企業,持續強化公司治理與風險控管機制,並透過完整的教育訓練與宣導,以深化全體員工的從業道德,實踐產業共好,成為最值得信賴的公司。

FATC is a law-abiding and ethically-driven enterprise, committed to strengthening corporate governance and risk control mechanisms. Through comprehensive training and internal communication, FATC intensify ethical conduct across the organization. By upholding shared values within the industry, FATC aim to be the most trusted company.

100

打造誠信經營文化,2024年共計受訓人數2,320(新進員工另外辦理) 合計6,960小時,職業道德受訓涵蓋率100%

Build a culture of integrity in business operations, a total of 2,320 employees received training by 2024 (new employees received training separately) totaling 6,960 hours, with a 100% coverage rate for professional ethics training.

20

第十一屆公司治理評鑑 上市公司排名前20%

11th (2024) Corporate Governance Evaluation Top 20% among listed company.

0

0違反資訊客訴案件 取得ISO 27001認證

0 information-related complaints or violations. Obtained ISO 27001 certification.
誠信經營 Integrity and Ethical Business Practice 貪腐案件:0件
重大違法情事:0件
職業道德訓練涵蓋率100%

Number of Corruption Case: 0
Number of Major Legal Violation: 0
Code of Ethics Training Coverage: 100%
誠信經營 Integrity and Ethical Business Practice 貪腐案件:0件
重大違法情事:0件
職業道德訓練涵蓋率100%

Number of Corruption Case: 0
Number of Major Legal Violation: 0
Code of Ethics Training Coverage: 100%
誠信經營 Integrity and Ethical Business Practice 貪腐案件:0件
重大違法情事:0件
職業道德訓練涵蓋率100%

Number of Corruption Case: 0
Number of Major Legal Violation: 0
Code of Ethics Training Coverage: 100%
誠信經營 Integrity and Ethical Business Practice 恪遵法令及謹守道德規範,秉持「勤勞樸實」企業文化精神,以廉潔誠信、公平透明、自律負責之經營理念,制定落實各項道德規範政策,謀求本公司之永續發展。
公司治理 Corporate Governance

福懋科技依循相關法規以有制度的公司治理機制,鞏固公司營運,確保利害關係人之權益。本公司於2023年蟬連「臺灣就業99指數」成份股,並於第十屆公司治理評鑑之上市公司排名前20%,在公司治理面的持續努力深獲肯定。

FATC adheres to relevant laws and regulations, establishing a structured corporate governance framework to ensure operational stability and protect the rights and interests of stakeholders. In 2023, FATC was once again selected as a constituent of the “Taiwan Employment 99 Index” and ranked in the top 20% of listed companies in the 10th Corporate Evaluation, reflecting strong recognition of our continued commitment to sound corporate governance practices.

福懋科技治理架構
風險管理 Risk Management

全球化和技術進步使得商業環境變得更加複雜,氣候變遷、地緣政治風險和全球供應鏈中斷等全球性的問題,更對企業產生直接或間接的潛在影響。面對多變且充滿不確定的環境,福懋科技參考COSO 企業風險管理架構的精神,逐步建立全面性風險管理制度並強化風險文化,期許能成為一個更具韌性、更穩健和更具競爭力的企業。

風險管理委員會組織圖
風險管理流程 Risk Management Process

我們於2024 年持續以敏感度分析和壓力測試等風險管理工具,用以評估於缺水、停電、因資安事件導致與生產相關之資訊系統停止運作,及生產關鍵原物料價格波動等非財務面關鍵風險因子在不同情境下對企業於產值、營收、毛利率等的潛在影響,以強化對企業面臨之風險和機會有更全面的了解,進而制定相應的風險管理和控制策略。

In 2024, FATC continued to use risk management tools such as sensitivity analysis and stress testing to evaluate key non-financial risk factors. These include water shortages, power outages, cybersecurity incidents affecting production-related IT systems, and fluctuations in prices of critical raw materials. By simulating various scenarios, we assessed the potential impact of these risks on production output, revenue, and gross margin. This approach enables a more comprehensive understanding of the risks and opportunities the company may face, allowing us to formulate effective risk management and control strategies.

企業經營風險 Corporate Operational Risk

針對企業經營風險,福懋科技每年就總經理室提出之風險項目進行鑑別,並對鑑別後之風險項目考量發生頻率、衝擊程度判定各項風險等級並採取因應措施,2023 年共提出218 項風險項目,無立即需改善項目、須規劃並執行風險控制措施7 項、設定指標監控140 項、須持續觀察71 項。

To address business risks, FATC annually identifies risk items raised by the SR Office. The company then determines the risk level of each identified risk item based on frequency and impact, and takes appropriate measures. In 2024, a total of 184 risk items were identified, including no immediate improvement items, eight items requiring planning and implementation of risk control measures, 95 items requiring indicator monitoring, and 81 items requiring continuous observation.

資安風險及因應措施
Information Security Risks and Mitigation Measures

福懋科技為保護公司與客戶資訊的安全,積極推動全公司之資訊安全制度,並已取得ISO 27001:2022 資訊安全管理系統認證(適用日期:2025/5/15~2028/5/15),以期能獲得各關注方對本公司資訊安全之信賴。

To safeguard both corporate and customer information, FATC proactively implements company-wide information security measures. In pursuit of enhanced protection and stakeholder trust, FATC has obtained certification for the ISO 27001:2022 Information Security Management System, valid from 2025/5/15 to 2028/5/15.

01訂定資訊安全政策 Information Security Policy
為確保及維護整體資訊安全,建立安全及可信賴之電子化環境,本公司已訂定資訊安全政策,以作為本公司發展及強化資訊安全之基礎架構。為保護本公司資訊資產的安全,公司所有同仁均有義務協助資訊安全的推動,使資訊安全機制能順利推動與執行。本公司之管理階層已明定資訊安全的發展方向,並展現對資訊安全的支持與承諾。資訊安全聲明是本公司資訊安全的最高指導原則,亦為本公司對資訊安全堅定的承諾,本公司的資訊安全聲明如下:『確保資訊資產之機密性、可用性與完整性,以保障客戶、公司、股東、員工及供應商之權益,並能善盡社會責任。』

To ensure and maintain overall information security and to establish a secure and trustworthy digital environment, FATC has established an Information Security Policy as the foundation for developing and strengthening its information security framework. All employees are obligated to support the implementation of information security measures to ensure the effective execution of related mechanisms. The company’s management has clearly defined the direction for information security development, demonstrating strong support and commitment. The information Security Statement serves as the highest guiding principle for FATC’s information security efforts and reflects the company’s firm commitment to safeguard its information assets. FATC’s Information Security Statement is as follows: “To ensure the confidentiality, availability, and integrity of information assets in order to protect the interests of customers, the company, shareholders, employees, and suppliers, while fulfilling our corporate social responsibility.
本公司推動資訊安全的範圍如下:

The scope of FATC’s information security initiatives includes:
  • 建立資訊安全組織管理,定期檢視各項資訊安全防護措施及規章,並推動項資訊安全工作。

    Establishing an information security governance structure, regularly reviewing various information security protection measures and related regulations and promoting all aspects of information security initiatives.
  • 推動新進人員、現有員工及外部人員之資訊安全教育訓練及宣導,使所有人員了解本公司對於資訊安全的規定與要求,以降低欺騙、洩密及誤用設備等風險,並了解資訊安全的威脅及問題、自己的責任及義務,並能支持公司之資訊安全政策。另在人員離職或調職時,執行完整資訊安全管控程序,避免造成資安風險。

    FATC actively promotes information security education and awareness programs for new hires, existing employees, and external personnel. These initiatives aim to ensure tjat all individuals understand the company’s information security policies and requirements, thereby reducing risks such as fraud, data leaks, and misuse of equipment. Personnel are made aware of security threats and issues, as well as their individual responsibilities and obligations, to foster support for the company’s information security policies. In addition, comprehensive information security control procedures are implemented during employee resignation or internal transfer to prevent potential information security risks.
  • 為避免資訊互連所造成的資安風險,本公司採縱深防禦架構,建立防火牆、惡意網址過濾、病毒防禦、電子郵件病毒與內容安全過濾及電腦系統更新修補程式,確保員工上網與發送電子郵件安全,並降低洩密的風險。

    To mitigate information security risks caused by interconnectivity, the company adopts a defense-in-depth structure. This includes the implementation of firewalls, malicious website filtering, antivirus protection, email virus and content security filtering, and regular patch updates for computer systems. These measures ensure secure internet access and email usage by employees, while effectively reducing the risk of data leakage.
  • 建立系統存取身份認證、可攜式儲存設備(如 USB)管理與實體門禁管理,以控管人員及資訊的存取,避免未經授權的人存取系統、資訊、資訊處理設備及網路等。

    Implement system access authentication, portable storage device (e.g. USB) management, and physical access control to regulate personnel and information access. These measures are aimed at preventing unauthorized individuals from accessing systems, information, information processing equipment, and networks.
  • 為確保業務永續經營,定期執行資訊系統備份與災難演練,以確保關鍵業務活動能及時恢復運作。

    To ensure business continuity, the company regularly performs information system backups and disaster recovery drills to ensure that critical business operations can be resumed promptly.
  • 每年定期舉行全公司性資訊安全稽核,以避免違反法律、法規、合約義務與安全需求等。

    An annual company-wide information security audit is conducted to prevent violations of laws, regulations, contractual obligations, and security requirements.
  • 建立資訊安全事件通報程序,以確保資訊安全事件發生時,皆能被及時的溝通與處理。

    Establish an information security incident reporting procedure to ensure that all incidents are promptly communicated and handled when they occur.
  • 加入TWCERT資安聯防組織,建立完整情資通報程序。

    Join the TWCERT Cybersecurity Defense Alliance and establish a comprehensive threat intelligence reporting procedure.
面對科技日新月異與不斷演進的資訊安全威脅,本公司電腦佈署Crowdstrike端點防護及SEP(Symantec Endpoint Protection)防毒系統,內網採認證存取管控,以維護網路安全。並使用Nessus弱點掃描工具,找出重大漏洞與風險,並即時更新漏洞以維護系統資訊安全。
因應近年來駭客利用社交工程非法入侵企業案例頻傳,本公司導入郵件附件清洗CDR (Content Disarm and Reconstruction)以確保檔案無駭化,並定期舉行社交工程演練與教育訓練,降低社交工程風險。

In response to the rapid evolution of technology and ever-changing information security threats, the company has deployed Crowdstrike endpoint protection and Symantec Endpoint Protection (SEP) for antivirus. Internal network access is controlled through authentication-based access management to maintain network security. Additionally, the company utilizes the Nessus vulnerability scanning tool to identify critical vulnerabilities and risks, and promptly applies updates to ensure information security. Given the increasing number of cyberattacks exploiting social engineering tactics in recent years, the company has implemented Content Disarm and Reconstruction (CDR) to sanitize malicious code. Regular social engineering drills and security awareness training are conducted to reduce the risk of such attacks.
資通安全管理
Information Security Management

福懋科技為保護公司與客戶資訊的安全,積極推動全公司之資訊安全制度,並已取得ISO 27001:2022 資訊安全管理系統認證(適用日期:2025/5/15~2028/5/15),以期能獲得各關注方對本公司資訊安全之信賴。

To protect both corporate and customer information security, FATC actively promotes company-wide information security policies and has obtained ISO 27001:2022 Information Security Management System certification (valid from 2025/5/15 to 2028/5/15). This demonstrates the company’s commitment to earning the trust of all interested parties regarding its information security practices.

ISO/IEC 27001:2022

資訊安全組織架構
資訊安全組織架構

本公司之資訊安全政策聲明為:『確保資訊資產之機密性、可用性與完整性,以保障客戶、公司、股東、員工及供應商之權益,並能善盡社會責任。』

成立跨部門之資訊安全委員會,由總經理擔任召集人,並由各部門一級主管主管擔任委員,成員分別為資訊安全委員會主委(資訊中心最高主管)、總經理室、財務部、行政部、品經部、研發中心、營業部、生管部、廠務部、資訊中心及各生產單位。

資訊安全委員會定期召開,主要負責資訊安全政策、目標及相關規範之規劃擬定、核准及督導,並向董事會報告資訊安全管理之成效。

設置資安長,由資訊中心最高主管擔任,資安專責人員共四名,專責推動資安營運持續計畫、資訊資產盤點及辦理資安風險評估作業,建立並執行相對應的管理制度與技術防護,以維護資訊安全為目標。

The company’s information security policy statement is as follows: “To ensure the confidentiality, availability, and integrity of information assets, thereby safeguarding the interests of customers, the company, shareholders, employees, and suppliers, while fulfilling our corporate social responsibility.”
An interdepartmental Information Security Committee has been established, chaired by the President. Committee members include 1st-level supervisors from each department. The members consist of the Chairperson of the Information Security Committee (the highest-ranking executive of MIS), the SR office, the Finance Department, the Administration Department, the Quality Management Department, the R&D Center, the Sales Department, the Production Control Department, the Facilities Department, the MIS, and all production departments.
The Information Security Committee convenes regularly and is primarily responsible for the planning, formulation, approval, and supervision of information security policies, objectives, and related regulations. It also reports the effectiveness of information security management to the Board of Directors.
A Chief Information Security Officer is appointed, held by the highest0ranking executive of the MIS. There are 4 dedicated information security personnel responsible for promoting the information security business continuity plan, conducting information asset inventory and risk assessments, and establishing and implementing corresponding management systems and technical safeguard, all aimed at maintaining information security.

營運持續與演練:
Operational Continuity and Drills:

我們依據資訊系統對營運影響程度做等級分類,說明如下:
We categorize information systems based on the impact on operations, as follows:
等級
Level		 說明
Description		 演練頻率
Drill Frequency		 備份頻率
Back-up Frequency
A 重要主機
Critical Server		 每1年至少1次
At least once per year		 每日
Daily
B 主要主機
Primary Server		 每2年至少1次
At least once every 2 year		 每週
Weekly
C 一般主機
General Server		 每3年至少1次
At least once every 3 year		 每季
Quarterly
D 其他主機
Other Server		 不定期
Irregular		 每半年
Semiannually
重要主機設有多重備援機制,放置於不同媒體與異廠機房。每年依等級進行演練,2025年A級主機執行率100%。
Primary servers are equipped with multiple redundancy mechanisms and are hosted across different media and server room at separate facilities. Drills are conducted annually based on classification levels, and in 2025, the execution rate for Level A servers reached 100%.
更新時間 Update:2026/01

資安教育訓練與目標:
Information Security Training and Targets:

福懋科技每年定期舉辦全體員工之公司性資訊安全教育,以提升員工資安防護意識,另針對新進員工,報到後立即進行資訊安全教育,避免新進員工因不熟公司資安規定而違規。

每年至少召開管理審查會議一次、資安會議兩次,必要時得召開臨時會議。

每月舉行資訊安全評比活動,使全體同仁對資訊安全有參與感,並了解公司推動資訊安全的目標與要求。另為降低因社交工程而造成之危害,本公司於每月不定期舉行社交工程演練,提升員工對不明之郵件或連結的資安意識。

FATC conducts company-wide information security training annually to enhance employees’ awareness of cybersecurity threats. Additionally, all new employees are required to receive information security training immediately upon registration, to prevent violations caused by unfamiliarity with internal security policies.
At least one management review meeting and two Information Security Committee meetings are held each year, with ad-hoc meetings convened when necessary.
To foster employee engagement and awareness of the company’s information security objectives and requirements,
課程名稱
Course Topic		 對象
Target Member		 人數
Trainee		 人時數
Total Training Hour		 涵蓋率
Coverage Rate



ISO27001控制項目
ISO 27001 Control Measures		 資安委員
資安幹事
資安稽核員

Information Security Committee Members
Information Security Officers
Information Security Auditors


44


264


100%
社交工程教育訓練
Social Engineering Awareness Training		 全體員工
All Employees		 2,389 2,389 100%
資安教育訓練
Information Security Awareness Training		 新進員工
New Employees		 170 170 100%
社交工程訓練
Social Engineering Training		 演練點擊員工
Employees Fail in Dill Click Tests		 11 11 100%
資安設備管理教育訓練
Information Security Equipment Management Training		 系統管理員
System Administrators		 4 16 100%

資訊安全管理成效:
Information Security Management Performance

違反資安事件之件數與罰款
Number of Information Security Incidents and Fines Imposed		 2022年 2023年 2024年 2025年
違反資安件數
Number of Information Security Incidents		 0 0 0 0
涉及客戶個資之資安件數
Number of Incidents Involving Customer Personal Data		 0 0 0 0
受到資訊洩露之客戶總數
Number of Customer Affected by Data Breaches		 0 0 0 0
罰款金額
Amount of Fines Imposed		 0 0 0 0
更新時間 Update:2026/01

資訊具體管理方案:
Information Security Protection Strategy

多層資安防護
Multi-layered Information Security Protection		 說明
Content


網路安全
Cybersecurity		 定期執行弱點掃描與系統軟體更新
架設WAF、IPS、防火牆及網路安全控管設備
設置郵件附件清洗CDR(Content Disarm and Reconstruction),力求郵件檔案無駭化

Regular perform vulnerability scans and system software updates
Deploy WAF, IPS, firewalls, and other network security control devise
Implement email attachment sanitization using CDR to ensure malware-free email files.

裝置安全
Device Security		 建置全廠防毒系統
導入端點防護措施,阻擋惡意軟體侵害

Implement a company-wide antivirus system
Introduce endpoint protection measures to block malware attacks

應用程式安全
Application Security		 制定標準化程式開發流程
強化應用程式安全控管

Establish standardized procedures for software development
Strengthen security controls for applications

供應鏈資訊安全
Supply Chain Information Security		 建立供應商資安檢核機制
傳達公司資安規定與注意事項

Establish a cybersecurity assessment mechanism for suppliers
Communicate the company’s information security policies and guidelines


資料安全保護技術強化
Data Security Enhancement Technologies		 文件依照機密等級分類並保護
控管USB存取
郵件外寄控管

Classify and protect documents based on confidentiality levels
Control USB access
Manage and restrict outbound emials
更新時間 Update:2026/01
檢討與持續改善
Review and Continuous Improvement		 說明
Content

教育訓練與宣導
Training and Awareness		 定期進行郵件社交工程演練
定期舉辦員工資安教育訓練,提升資安意識

Conduct regular email-based social engineering drills
Organize regular information security training for employees to enhance security awareness
更新時間 Update:2026/01

資訊安全目標:
Information Security Objectives

為落實資訊安全管理,並嚴格檢視執行狀況,我們針對資訊安全設定了量化管理目標,2025年針對機密性、完整性及可用性,共設定6項資安目標,全部皆達成目標。

To implement effective information security management and closely monitor execution, we have established measurable objectives for information security. In 2024, 6 objectives were set, focusing on confidentiality, integrity, and availability – all of which were successfully achieved.
分類
Category		 項目
Item		 2025年目標
2025 Objective		 2025年實績
2025 Performance
機密性
Confidentiality		 未經授權取得或使用機敏文件次數
Number of unauthorized access to or use of sensitive documents		 0次 0次

完整性
Integrity		 社交工程演練點擊及附件開啟率
Click rate and attachment open rate during social engineering drills		 小於2%
Less than 2%		 0.17%
OA Client Hot-Fix佈署完成率
Deployment completion rate of IA Client Hot-Fix		 大於99%
Greater than 99%		 99%

可用性
Availability		 OA系統中斷時間
Downtime duration of the OA system		 小於30分鐘
Less than 30 minutes		 0
OA資料庫中斷時間
Downtime duration of the OA database		 小於30分鐘
Less than 30 minutes		 0
註:資安防護力指標依每月資安評比加權計算
Note: The information security defense effectiveness index is computed on a monthly basis using weighted scores from security evaluations
更新時間 Update:2026/01