The Policy is enacted in order to ensure that the confidentiality, integrity and availability of the information assets vested in KINGFOND CORPORATION (hereinafter referred to as "the Company") comply with the requirements under the related laws and regulations and to prevent the same from any intentional or negligent threat, internally or externally, and subject to the Company's business needs.

1. Scope

The Policy is applicable to the Company's personnel, contractors and visitors, et. al. The Information security management covers 14 areas to avoid the potential risks and hazards caused to the Company due to the misuse, disclosure, tampering or ruining of the Company's information resulting from such factors as negligence, intention or natural disaster. The areas are specified as following:

• Enactment and evaluation of the Information security policy.
• Information security organization.
• Human resource safety management.
• Information assets management.
• Access control safety management.
• Cryptography safety management.
• Tangible and environment safety management.
• Operating safety management.
• Communications safety management.
• System retrieval, development and maintenance safety management.
• Information security incident management.
• Continuing operations management safety.
• Laws and regulations and compliance management.
• Supplier management.

2. Objectives

In order to maintain the confidentiality, integrity and availability of the Company's information assets and to protect users' information privacy safety, the Company expects that all of the Company's staff may work with each other to achieve the following objectives:

• To protect the Company's service safety and ensure access to information only by the authorized personnel to maintain the confidentiality thereof;
• To protect the Company' s service safety and to avoid modifications without authorization to ensure the correctness and integrity of the information;
• To establish the Company's sustainable business plan to ensure the continuing operations of the Company's services;
• To ensure that the Company's services are performed in accordance with the requirements under the related laws or regulations.

3. Responsibility

• The Company shall establish the Information security organization dedicated to boosting the Information security affairs.
• The management shall actively take part in supporting the Information security management system and implement the Policy through adequate standards and procedures.
• The Company's personnel, contractors and visitors shall follow the Policy.
• The Company's personnel and contractors shall be obligated to report any Information security incident or weakness via the adequate reporting mechanism.
• In the event of any acts endangering the Information security, the Company will pursue the offender's civil, criminal and administrative liabilities or discipline the offender pursuant to the Company's related rules, subject to the circumstances.