Corporate Sustainability

Information Security Policy and Management

GRI 2-23, 418-1;
SASB TC-SI-220, 230, 550
Information Security Policy and Management

As a leading enterprise in Taiwan’s IT service industry, SYSTEX attaches great importance to the protection of stakeholders, and resolves the Information Security risk and personal privacy issues. In accordance with ISO 27001 and other Information Security-related ISO standards, we integrate internal cross-divisional information capability to establish the “Information Security Protection Team” and set up a Information Security management system. The Information Security Protection Team is responsible for formulating the “SYSTEX Information Security Policy“, Information Security Management Measures, and other Information Security-related regulations, ensuring the implementation of Information Security-related rules and regulations, Information Security-related training courses, and Information Security-related control and defense actions.

In terms of customer rights protection, SYSTEX has established comprehensive procedures covering service delivery, system construction, and operational management. All services are rgoverned by the Information Security Confidentiality Agreement and the SYSTEX Personal Data Protection Rules. No legal violations of customer privacy were reported or identified in 2024. Meanwhile, SYSTEX did not receive any requests for customer information from government or law enforcement agencies in 2024.

Information Security Management Structure

To ensure that the Information Security management mechanism in complied with international standards. We, SYSTEX Group, have passed and received the 3rd-party Information Security-related and quality-related ISO certifications.

  • SYSTEX CORPORATION
    ISO 9001 (DMIS): Valid period 2024/12/12-2027/12/11
    ISO 22301 (DMIS): Valid period 2023/5/24-2026/5/23
    .ISO/IEC 27001: 2022: Valid period 2025/1/5-2028/1/4
    ISO/IEC 27001: 2022 (DMIS): Valid period 2025/1/1-2027/12/31
    ISO/IEC 27001: 2022 (Data Center): Valid period 2024/5/3-2027/5/2
    BS 10012 (DMIS): Valid period 2024/1/31-2027/1/30
    PCI-DSS: Valid period 2024/12/29-2025/12/28
  • SYSTEX SOFTWARE & SERVICE CORPORATION
    ISO/IEC 27001: 2022 (UKAS): Valid period 2024/10/27-2026/8/25
    ISO/IEC 27701: 2019 : Valid period 2024/11/21-2026/8/25
  • TOP INFORMATION TECHNOLOGIES CO.
    ISO/IEC 27001: 2022 (UKAS) : Valid period 2024/8/16-2027/8/16
  • SYSPOWER CORPORATION
    ISO/IEC 27001: 2022: Valid period 2023/8/28-2026/8/27
    ISO/IEC 27701: 2019: Valid period 2025/7/1-2028/6/30
  • SOFTMOBILE TECHNOLOGY CORPORATION
    ISO/IEC 27001: 2022: Valid period 2024/9/26-2027/9/25
  • CONCORD SYSTEM MANAGEMENT CORP.
    ISO/IEC 27001: 2022 (UKAS): Valid period 2024/9/7-2027/9/7
  • SYSTEX SOLUTIONS CORPORATION
    CNS 27001: 2023 (TAF): Valid period 2025/6/11-2027/7/8
    ISO/IEC 27001: 2022 (UKAS): Valid period 2025/6/11-2027/7/8
    ISO/IEC 27701: 2019: Valid period 2025/6/11-2027/7/8
  • TAIFON COMPUTER CO.
    ISO/IEC 27001: 2013 : Valid period 2024/1/6-2025/10/31
  • E-SERVICE INFORMATION Co.
    ISO/IEC 27001: 2022: Valid period 2024/9/12-2027/9/11
  • TAIWAN INFORMATION SERVICE TECHNOLOGY CO.
    CNS 27001: 2023 (ISO/IEC 27001: 2022) (TAF): Valid period 2023/7/2-2026/7/1
    ISO/IEC 27001: 2022 (DAKKS): Valid period 2023/7/2-2026/7/1
    ISO/IEC 27701: 2019 : Valid period 2023/7/2-2026/7/1
  • UNIXECURE CORPORATION
    ISO/IEC 20000-1: 2018: Valid period 2025/2/4-2028/1/11
    ISO/IEC 27001: 2022 (TAF): Valid period 2025/1/6-2028/1/6
    ISO/IEC 27001: 2022 (UKAS): Valid period 2025/1/6-2028/1/6
    ISO/IEC 27701: 2019 (UKAS) : Valid period 2025/1/6-2028/1/6
  • CARESYS INFORMATION INC.
    ISO/IEC 27001: 2022 (TAF): Valid period 2024/4/30-2027/4/29

SYSTEX continues to strengthen the Information Security management to ensure information security of data, systems, equipment and network, as well as regulatory compliance, customer rights and personal information protection. Next, the Information Security-related services launched by STSTEX Group will continue to be certified by ISO 27001, so as to improve the information security service capabilities.

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 148 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2024, SYSTEX employees have a total of 586 Information Security-related licenses and certificates..

148

2024 newly obtained Information Security Licenses of Employees

586

Cumulative Information Security Licenses and certificates of Employees

Dedicated Management Unit

In the face of information security promotion and risk management issues, SYSTEX has established the “Information Security Technology Department” in December 2023 as the dedicated information security management unit. The “Crisis Resolution Team for information security events” serves as the task organization unit under the Risk Management Committee, is responsible for regularly reporting the implementation effectiveness of information security to the Committee. Additionally, the “Information Security Taskforce Committee,” consisting of approximately 15 members, offers consulting and technical services to each Business Units of SYSTEX Group and provides information security education and training of information security management, having held a total of 12 meetings in 2024. In addition to the comprehensive SYSTEX Group’s information security management, the “Information Security Technology Department” also assists with information security and personal information incident handling for BUs that have introduced ISO 27001. Each Business Unit that has implemented ISO 27001 has established its own information security management committee to create its information security implementation framework and formulate management plans.

SYSTEX holds regular meetings to check whether there has been Information Security incidents, assess the possible risks and negative impacts to propose improvement plans. Meanwhile, SYSTEX conducts risk assessments and related reviews every 6 months. In 2024, no high-risk projects were found through continuous risk assessment. The medium- and low-risk projects were handed over to relevant operating units according to the control adjustment, and were included in the subsequent tracking and reporting operations.

Incidents Solution Responsibility

Continue to assist the front-line unit in “Digital Forensics”, including digital evidence preservation, identification, collection, acquisition, examination, inspection and forensic analysis.

  • Assist the front-line units to collect digital evidence in the shortest time
  • Investigate and evaluate the scope and severity of personal information infringement incidents
  • Consider whether to invite external consultants and digital forensics experts to assist with solution processing
Information Security Management Mechanisms
Information Security Incidents

In 2024, Information Security monitoring alerts detected were intercepted by endpoint antivirus systems during user browsing, preventing any actual landing attacks. Under the defense-in-depth security control framework, no incident met the internal activation of crisis resolution measures or mandatory regulatory reporting. No confirmed data leakage incidents were reported in 2024.

Information Security Management Mechanisms
Major Incident Response Procedure for MIS

Upon detection of major incidents by monitoring systems or data centers, SYSTEX activates a contingency response team to assess severity and scope, investigate and resolve the issue, execute recovery measures, and document the incident.

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 148 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2024, SYSTEX employees have a total of 586 Information Security-related licenses and certificates..

148

2024 newly obtained Information Security Licenses of Employees

586

Cumulative Information Security Licenses and certificates of Employees

Information Security Technology and Control
Customer Privacy and Data Protection

SYSTEX has established personal data protection specifications and conducts annual IS incident drills to ensure crisis response capability. The company implements a comprehensive personal data protection mechanism, performs regular audits, and has obtained BS 10012 certification. SYSTEX established “SYSTEX Personal Data Protection Rules,” and set up a dedicated privacy complaint email. In 2024, there were no complaints received regarding customer privacy violations, nor were there any requests for customer data from government or law enforcement agencies.

To address differences in industry-specific characteristics across companies, each affiliate has established its own regulations in accordance with the Personal Information Protection Act and the Information Security Management Act to protect customer rights and interests. In 2024, a total of 7,867 participants successfully completed the personal data protection advocacy test.

Regular Crisis Resolution Drills

To strengthen crisis responses, SYSTEX completed 6 types of drills and conducts each drill once or twice a year. In 2024, the 6 types of drills have been completed, more than 80 on-site supplier information security audits from customers have been carried out, and more than 900 external audit questionnaires have been completed. The team also facilitated ISO 27001 certification and internal audits of each Business Unit.

Taking social engineering drills as an example, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills was far lower than the standard of 8% and 6%, showing the improvement in Information Security awareness. At present, the Department has already completed the drill schedule of “social engineering drills, testing data center disaster prevention and vulnerability scanning” in 2025.

[Social Engineering Drills] In order to enhance employees’ awareness of E-mail safety, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills were far lower than the standard of 8% and 6%, showing the improvement of information security awareness.

  • [2024 H1] 3,928 test accounts: Malicious Email Open Rate 1.71% ; Malicious Email Click-through Rate 1.55%
  • [2024 H2] 4,095 test accounts: Malicious Email Open Rate 1.32% ; Malicious Email Click-through Rate 1.15%

[Data Center Disaster Prevention Drills] SYSTEX simulates the fire scenario in the data center as a testing data center drill, and makes corresponding responses, such as simulating evacuation to a sheltered staging site, reporting the disaster situation to the unit supervisor and crisis resolution team leader. In addition, the data center users will weekly conduct data center inspections for fire protection, temperature, monitors, etc., and fill in the inspection records on the management website, so as to count and manage the types and locations of abnormal security inspections.

2024 Performance

Item Frequency Target Detail
Social engineering Twice a year SYSTEX and its affiliates in Taiwan 2024.05
[H1]
  • Conduct a drill on 3,928 email accounts. Those who failed were arranged for information security education and training.
  • Malicious email open rate: 1.71%, passing the standard of  8%.*1
  • Malicious email click-through rate: 1.55%, passing the standard of  6%.*1
2024.11
[H2]
  • Conduct a drill on 4,770 email accounts. Those who failed were arranged for information security education and training.
  • Malicious email open rate: 1.32%, passing the standard of  8%.*1
  • Malicious email click-through rate: 1.15%, passing the standard of  6%.*1
Information security Twice a year SYSTEX information systems, websites and computers
  • 2024.04 Financial Business BI data leakage drill
  • 2024.10 Financial Business BI data leakage drill
Vulnerability scanning Twice a year SYSTEX information systems and websites
  • 2024.05 1st vulnerability scanning
  • 2024.10 2nd vulnerability scanning
Testing data center disaster prevention Twice a year All testing data centers
  • 2024.03 Data center drill (fire)
  • 2024.11 Data center drill (earthquake)
System recovery Once a year

All public websites
  • 2024.11 with an completion rate of 100%
Business Continuity Once a year All shared information systems
  • 2024.11 with an completion rate of 100%

Note: The drill will be conducted in accordance with the provisions of the “Regulations on the Notification and Response of Cyber Security Incident” and the “Social Engineering Implementation Plan for Preventing Malicious Email”. 

Information Security Protection Highlights
  • External security rating (Security Scorecard) was upgraded from Level B to Level A.
  • External security rating (Bitsight) was upgraded from Basic to Intermediate.
  • Newly added an “Information Security Announcement Zone,” including the following 2 categories:
    • Monthly IS Bulletin
      Contents: Information security awareness, intellectual property protection, and prohibited software blacklist.
    • Threat Intelligence Sharing
      Sources: TWCERT/CC, FISAC, and online news.
  • The implementation schedule for several information security drills in 2025 has been finalized, including social engineering drills, disaster prevetion, system recovery, and vulnerability scanning.
Information Security Training Courses

In order to strengthen employees’ awareness of information security, SYSTEX continues to carry out information security-related training courses in 2024.

  • Information Security advocacy and test for employees: A total of 7,876 participants were trained
  • Personal data protection and test for employees: A total of 7,867 participants were trained
  • Information Security online general course for employees (3 hours): A total of 4,682 participants were trained, with a total of 14,046 hours
  • Information Security online professional course for employees (9 hours): A total of 350 participants were trained, with a total of 3,150 hours
  • Information Security in-class seed-training course for employees: A total of 640 participants were trained, with a total of 8,281 hours

2024 advocacy and test for employees

7876

Information Security

7867

Personal Data Protection

2024 Information Security online general course for employees (3 hours)

4682
14046

2024 Information Security online professional course for employees (9 hours)

350
3150

2024 Information Security in-class seed-training course for employees

640
8281