ESG Report 2024

18 5.4 Information Security Information security infrastructure is an essential method employed by the Group to safeguard internal information and customer privacy. Any leakage of confidential corporate information or customer data can have adverse impacts and lead to losses for the company itself, customers, and other stakeholders. In compliance with relevant laws and regulations such as the “Law of the People's Republic of China on the Protection of Consumer Rights and Interests”, the “Cybersecurity Law of the People's Republic of China”, “Information Security Law of the People's Republic of China”, and “Personal Information Protection Law of the People's Republic of China”. The Group has established “The United Laboratories Information Confidentiality Policy” and “The United Laboratories Patient Information Protection Policy” to uphold stakeholders' confidence in the Group's operations and services. The Law of the People's Republic of China on the Protection of Consumer Rights and Interests The Cybersecurity Law of the People's Republic of China Information Security Law of the People's Republic of China Personal Information Protection Law of the People's Republic of China Information Security The United Laboratories Information Confidentiality Policy The United Laboratories Patient Information Protection Policy International Internet Usage Management Policy Patient Personal Information Protection Policy Emergency Operation Procedures for Power Outage in the Computer Room User Agreement Privacy Protection Policy During the Year, the Group did not experience any information leakage incidents nor were there any legal disputes related to information security concerning the Group or its employees. 5.4.1 Information System Security The Group regards information system security as an important responsibility in its corporate operations. The Group's Digital Centre is mainly responsible for promoting the digital transformation of the entire Group. This includes establishing and enhancing the information security system, software product development system, and business process optimisation system as well as promoting the Group's information technology initiatives to ensure that the various tasks are closely aligned with the Group's development strategy. Information Security Measures Aspects Relevant Laws, Regulations and Guidelines Internal Policies Environmental, Social and Governance Report 2024 The United Laboratories International Holdings Limited Regularly conduct information security awareness training for employees to prevent intentional or unintentional data breaches. Office computers are integrated into the domain control system, and unauthorized software installation or connection of portable storage devices is prohibited. User accounts require complex passwords, and password expiration is set at 180 days. User Security Deploy firewall, web behavior management, threat intelligence, zero-trust, bastion hosts, and SD-WAN devices to enhance network security. Network Security Equipped with the Sangfor Technologies' Vulnerability Scanning System, which performs regular vulnerability scans on servers and promptly addresses high-risk vulnerabilities. All servers are equipped with centralized and managed Endpoint Detection and Response (EDR) software. Network security devices and antivirus software are integrated with the original equipment manufacturers' (OEM) network security devices and antivirus software, and the OEM Managed Security Services (MSS) provide continuous 24/7 security support. System Security Utilise document encryption systems to encrypt all data and strictly control the decryption process. Adopt a combination of offline and online backups to ensure full and incremental backups of databases and server systems. Regular recovery tests are conducted to ensure data availability, integrity, and confidentiality. Deploy Continuous Data Protection (CDP) systems to take over business operations and recover or rebuild data in the event of a system failure. Date Security Conduct regular inspections of the computer room, equipped with environmental monitoring systems to monitor UPS power supply, cabinet temperature and humidity, lighting, and fire equipment. Any abnormalities are promptly reported through email or app notifications. The computer room is also under 24-hour video surveillance to ensure its security. Hardware Security