Information Security Policy and Management
SASB TC-SI-220, 230, 550
- Information Security
- Dedicated Management Unit
- Management Mechanisms & External Audits
- Information Security Technology & Control
- Training Courses
Information Security Policy and Management
As a leading enterprise in Taiwan’s IT service industry, SYSTEX attaches great importance to the protection of stakeholders, and resolves the Information Security risk and personal privacy issues. In accordance with ISO 27001 and other Information Security-related ISO standards, we integrate internal cross-divisional information capability to establish the “Information Security Protection Team” and set up a Information Security management system. The Information Security Protection Team is responsible for formulating the “SYSTEX Information Security Policy“, Information Security Management Measures, and other Information Security-related regulations, ensuring the implementation of Information Security-related rules and regulations, Information Security-related training courses, and Information Security-related control and defense actions.
In terms of customer right protection, SYSTEX provides a complete IT service procedure for the provision, construction, management and operation, etc. The services provided by SYSTEX are regulated by the “Information Security Confidentiality Agreement” and have an “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been identified in 2022. Meanwhile, SYSTEX did not receive any requests for customer information from government or law enforcement agencies in 2023.
Information Security Management Structure
To ensure that the Information Security management mechanism in complied with international standards. We, SYSTEX Group, have passed and received the 3rd-party Information Security-related and quality-related ISO certifications.
- SYSTEX CORPORATION
.ISO 9001 (DMIS): Valid period 2021/12/12-2024/12/11
.ISO 22301 (DMIS): Valid period 2023/5/24-2026/5/23
.ISO 27001 (DMIS): Valid period 2022/1/1-2024/12/31
.ISO 27001: 2022 (Data Center): Valid period 2024/5/3-2027/5/2
.ISO 27001 (Electronic Invoice System): Valid period 2022/7/8-2025/7/7
.BS 10012 (DMIS): Valid period 2024/1/31-2027/1/30
.PCI-DSS: Valid period 2023/12/29-2024/12/28
- SYSTEX SOFTWARE & SERVICE CORPORATION
.ISO 27001: Valid period 2023/08/25-2025/10/31
.ISO 27701: Valid period 2023/12/6-2025/10/31
- TOP INFORMATION TECHNOLOGIES CO.
.ISO 27001: 2022: Valid period 2024/8/16-2027/8/16
- SYSPOWER CORPORATION
.ISO 27001: 2022: Valid period 2023/8/28-2026/8/27
- SOFTMOBILE TECHNOLOGY CORPORATION
.ISO 27001: 2022: Valid period 2024/9/26-2026/9/25
- CONCORD SYSTEM MANAGEMENT CORP.
.ISO 27001: 2022: Valid period 2024/9/7-2027/9/7
- SYSTEX SOLUTIONS CORPORATION
.ISO 20000-1 (MOC Data Center): Valid period 2022/1/11-2025/1/11
.CNS 27001: 2023 (TAF): Valid period 2024/7/8-2027/7/8
.ISO/IEC 27001: 2022 (UKAS): Valid period 2024/7/8-2027/7/8
.ISO/IEC 27701: 2019: Valid period 2024/10/1-2027/7/8
- TAIFON COMPUTER CO.
.ISO 27001: Valid period 2024/1/6-2025/10/31
- E-SERVICE INFORMATION Co.
.ISO 27001: 2022: Valid period 2024/9/12-2027/9/11
- TAIWAN INFORMATION SERVICE TECHNOLOGY CO.
.CNS 27001: 2023 (TAF): Valid period 2023/7/2-2025/10/31
.ISO 27001: 2022 (UKAS): Valid period 2023/7/2-2025/10/31
.ISO 27701: Valid period 2023/7/2-2025/10/31
- UNIXECURE CORPORATION
.ISO 27001 (TAF): Valid period 2023/6/3-2025/10/31
.ISO 27001 (UKAS): Valid period 2023/6/3-2025/10/31
.ISO 27701: Valid period 2023/6/3-2025/10/31
SYSTEX continues to strengthen the Information Security management to ensure information security of data, systems, equipment and network, as well as regulatory compliance, customer rights and personal information protection. Next, the Information Security-related services launched by STSTEX Group will continue to be certified by ISO 27001, so as to improve the information security service capabilities.
Licenses and Certificates
In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 114 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2023, SYSTEX employees have a total of 522 Information Security-related licenses and certificates..
2023 newly obtained Information Security Licenses of Employees
Cumulative Information Security Licenses and certificates of Employees
Dedicated Management Unit
In the face of information security promotion and risk management issues, SYSTEX has established the “Information Security Technology Department” in December 2023 as the dedicated information security management unit. The “Crisis Resolution Team for information security events” serves as the task organization unit under the Risk Management Committee, is responsible for regularly reporting the implementation effectiveness of information security to the Committee. Additionally, the “Information Security Taskforce Committee,” consisting of approximately 15 members, offers consulting and technical services to each BU of SYSTEX Group and provides information security education and training of information security management, having held a total of 12 meetings in 2023. In addition to the comprehensive SYSTEX Group’s information security management, the “Information Security Technology Department” also assists with information security and personal information incident handling for BUs that have introduced ISO 27001. Each BU that has implemented ISO 27001 has established its own information security management committee to create its information security implementation framework and formulate management plans.
SYSTEX holds regular meetings to check whether there has been Information Security incidents, assess the possible risks and negative impacts to propose improvement plans. Meanwhile, SYSTEX conducts risk assessments and related reviews every 6 months. In 2023, no high-risk projects were found through continuous risk assessment. The medium- and low-risk projects were handed over to relevant operating units according to the control adjustment, and were included in the subsequent tracking and reporting operations.
Incidents Solution Responsibility
Continue to assist the front-line unit in “Digital Forensics”, including digital evidence preservation, identification, collection, acquisition, examination, inspection and forensic analysis.
- Assist the front-line units to collect digital evidence in the shortest time
- Investigate and evaluate the scope and severity of personal information infringement incidents
- Consider whether to invite external consultants and digital forensics experts to assist with solution processing
Information Security Management Mechanisms
Information Security Incidents
The security events occurred in 2023 have been blocked by the anti-virus system during user browsing, and no real landing attacks occurred; Or under the defense-in-depth security control mechanism, no event met the condition for internal activation of the crisis resolution. In 2023, no data leakage events have been identified.
Information Security Management Mechanisms
Major Incidents Solution Process
When a notification occurs, SYSTEX initiates a contingency operation to investigate the incident, confirm the impact and propose a solution, and then performs the recovery operations and records them.
Incidents Level
Licenses and Certificates
In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 114 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2023, SYSTEX employees have a total of 522 Information Security-related licenses and certificates..
2023 newly obtained Information Security Licenses of Employees
Cumulative Information Security Licenses and certificates of Employees
Information Security Technology and Control
Customer Privacy and Data Protection
SYSTEX established personal data protection specifications and conducts personal Information Security incident drills every year to ensure the crisis resolution ability. Additionally, SYSTEX implements personal data protection management system, conducts a related protection audit and obtains BS 10012. All services provided by SYSTEX are also regulated by the “Information Security Confidentiality Agreement” and “SYSTEX Personal Data Protection Rules,” and sets dedicated privacy complaint email. As a result, no violations of customer privacy have been reported or identified in 2023.
To cope with the differences in the industry characteristics of each company, each of the affiliates has established its own related regulations according to the Personal Information Protection Act and the Information Security Management Act, to protect the rights and interests of customers. In 2023, a total of 7,834 To cope with the differences in the industry characteristics of each company, each of the affiliates has established its own related regulations according to the Personal Information Protection Act and the Information Security Management Act, to protect the rights and interests of customers. In 2023, a total of 7,834 persons passed the personal data protection advocacy test for employees.
Regular Crisis Resolution Drill
In order to enhance the crisis resolution ability, the “Information Security Technology Department” has formulated 5 types of drills and conducts each drill once or twice a year. In 2023, the 5 types of drills have been completed, more than 50 on-site supplier information security audits from customers have been carried out, and more than 700 external audit questionnaires have been completed. Taking social engineering drills as an example, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills was far lower than the standard of 8% and 6%, showing the improvement in IS awareness. At present, the Department has already completed the drill schedule of “social engineering drills, testing data center disaster prevention and vulnerability scanning” in 2024.
[Social Engineering Drills] In order to enhance employees’ awareness of E-mail safety, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills were far lower than the standard of 8% and 6%, showing the improvement of information security awareness.
- [2023 H1] 4,549 test accounts: Malicious Email Open Rate 8% ; Malicious Email Click-through Rate 1.17%
- [2023 H2] 4,770 test accounts: Malicious Email Open Rate 7.21% ; Malicious Email Click-through Rate 0.25%
[Data Center Disaster Prevention Drills] SYSTEX simulates the fire scenario in the data center as a testing data center drill, and makes corresponding responses, such as simulating evacuation to a sheltered staging site, reporting the disaster situation to the unit supervisor and crisis resolution team leader. In addition, the data center users will weekly conduct data center inspections for fire protection, temperature, monitors, etc., and fill in the inspection records on the management website, so as to count and manage the types and locations of abnormal security inspections.
2023 Performance
Item | Frequency | Target | Detail | |
Social engineering | Twice a year | SYSTEX and its affiliates in Taiwan | 2023.05 [H1] |
|
2023.11 [H2] |
|
|||
Information security | Twice a year | SYSTEX information systems, websites and computers |
|
|
Vulnerability scanning | Twice a year | SYSTEX information systems and websites |
|
|
Testing data center disaster prevention | Twice a year | All testing data centers |
|
|
System recovery | Once a year |
All information systems |
|
Note: The drill will be conducted in accordance with the provisions of the “Regulations on the Notification and Response of Cyber Security Incident” and the “Social Engineering Implementation Plan for Preventing Malicious Email”.
Information Security Upgrade Plan
In 2023, SYSTEX continues to advance the “Group Information Security Improvement Program,” implementing projects including “SSDLC Construction,” “Upgrading of External Information Security Evaluation Ratings,” and “Enhancing the Complexity of Social Engineering Drills with a testing method of 3 Sample Drill Letters per person.” In addition, the “Information Security Technology Department” was established in 2023 as a specialized body with Information Security Specialized Personnel.
Information Security Training Courses
In order to strengthen employees’ awareness of information security, SYSTEX continues to carry out information security-related training courses in 2023.
- Information Security advocacy and test for employees: a total of 7,818 persons were trained
- Personal data protection and test for employees: a total of 7,834 persons were trained
- Information Security online general course for employees (3 hours): a total of 4,339 persons were trained, with a total of 13,017 hours
- Information Security online professional course for employees (9 hours): a total of 149 persons were trained, with a total of 1,341 hours
- Information Security in-class seed-training course for employees (38 lessons): a total of 885 persons were trained, with a total of 10,893 hours
2023 advocacy and test for employees
Information Security
Personal Data Protection
2023 Information Security online general course for employees (3 hours)
2023 Information Security online professional course for employees (9 hours)
2023 Information Security in-class seed-training course for employees (38 lessons)