ESG Report 2023

6.3.1 Information System Security The Group considers information system security as a critical responsibility in its business operations. In 2015, the Group Information Technology Centre was established to drive the overall digital transformation of the Group and ensure its alignment with the Group's development. The Information Technology Centre reports directly to the Group Chairman and is responsible for the following key functions: The Information Technology Centre has implemented the "Smart United Laboratories" System (“SUL System”), which integrates various business applications, including mobile platforms, public accounts, instant messaging, work applications based on user permissions, enterprise telephony, and video conferencing. This system provides integrated services to employees, promotes information sharing within the organization, enhances work efficiency, and strengthens the Group's core competencies. The SUL System has undergone domestic network security evaluations and has achieved a security protection level of S2A2, the second-highest level. Regularly conduct information security awareness training for employees to prevent intentional or unintentional data breaches. Office computers are integrated into the domain control system, and unauthorized software installation or connection of portable storage devices is prohibited. User accounts require complex passwords, and password expiration is set at 180 days. Information Security Measures User Security Deploy firewall, web behavior management, threat intelligence, zero-trust, bastion hosts, and SD-WAN devices to enhance network security. Network Security Equipped with the Sangfor Technologies' Vulnerability Scanning System, which performs regular vulnerability scans on servers and promptly addresses high-risk vulnerabilities. All servers are equipped with centralized and managed Endpoint Detection and Response (EDR) software. Network security devices and antivirus software are integrated with the original equipment manufacturers' (OEM) network security devices and antivirus software, and the OEM Managed Security Services (MSS) provide continuous 24/7 security support. System Security Utilize document encryption systems to encrypt all data and strictly control the decryption process. Adopt a combination of offline and online backups to ensure full and incremental backups of databases and server systems. Regular recovery tests are conducted to ensure data availability, integrity, and confidentiality. Deploy Continuous Data Protection (CDP) systems to take over business operations and recover or rebuild data in the event of a system failure. Data Security Conduct regular inspections of the computer room, equipped with environmental monitoring systems to monitor UPS power supply, cabinet temperature and humidity, lighting, and fire equipment. Any abnormalities are promptly reported through email or app notifications. The computer room is also under 24-hour video surveillance to ensure its security. Hardware Security 32 Developing the Group's information technology (IT) strategy in line with the Group's development strategy, including the formulation of IT plans and ensuring the implementation of IT initiatives across the Group. Promoting the implementation of IT initiatives within various units of the Group to enhance operational efficiency through the effective use of IT systems. Driving the digital transformation of the entire Group, progressively achieving digitization, process automation, and intelligent operations. Establishing an IT security system for the Group, overseeing and guiding information security measures within each unit to ensure information security throughout the Group. Establishing a software product development system to gradually transform internally developed IT systems into commercial products. Establishing a system for optimizing business processes within the Group, promoting continuous improvement of operational efficiency across all units. Environmental, Social and Governance Report 2023 The United Laboratories International Holdings Limited