Information Security Policy and Management

GRI 2-23, 418-1;
SASB TC-SI-220, 230, 550
Information Security Policy and Management

As a leading enterprise in Taiwan’s IT service industry, SYSTEX attaches great importance to the protection of stakeholders, and resolves the Information Security risk and personal privacy issues. In accordance with ISO 27001 and other Information Security-related ISO standards, we integrate internal cross-divisional information capability to establish the “Information Security Protection Team” and set up a Information Security management system. The Information Security Protection Team is responsible for formulating the “SYSTEX Information Security Policy“, Information Security Management Measures, and other Information Security-related regulations, ensuring the implementation of Information Security-related rules and regulations, Information Security-related training courses, and Information Security-related control and defense actions.

In terms of customer right protection, SYSTEX provides a complete IT service procedure for the provision, construction, management and operation, etc. The services provided by SYSTEX are regulated by the “Information Security Confidentiality Agreement” and have an “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been identified in 2022. Meanwhile, SYSTEX did not receive any requests for customer information from government or law enforcement agencies in 2023.

Information Security Management Structure

To ensure that the Information Security management mechanism in complied with international standards. We, SYSTEX Group, have passed and received the 3rd-party Information Security-related and quality-related ISO certifications.

  • SYSTEX CORPORATION
    ISO 9001 (DMIS): Valid period 2021/12/12-2024/12/11
    ISO 22301 (DMIS): Valid period 2023/5/24-2026/5/23
    ISO 27001 (DMIS): Valid period 2022/1/1-2024/12/31
    ISO 27001: 2022 (Data Center): Valid period 2024/5/3-2027/5/2
    ISO 27001 (Electronic Invoice System): Valid period 2022/7/8-2025/7/7
    BS 10012 (DMIS): Valid period 2024/1/31-2027/1/30
    PCI-DSS: Valid period 2023/12/29-2024/12/28
  • SYSTEX SOFTWARE & SERVICE CORPORATION
    ISO/IEC 27001: 2022 (UKAS): Valid period 2024/10/27-2026/8/25
    ISO/IEC 27701: 2019 : Valid period 2024/11/21-2026/8/25
  • TOP INFORMATION TECHNOLOGIES CO.
    ISO/IEC 27001: 2022 (UKAS) : Valid period 2024/8/16-2027/8/16
  • SYSPOWER CORPORATION
    ISO/IEC 27001: 2022: Valid period 2023/8/28-2026/8/27
  • SOFTMOBILE TECHNOLOGY CORPORATION
    ISO/IEC 27001: 2022: Valid period 2024/9/26-2027/9/25
  • CONCORD SYSTEM MANAGEMENT CORP.
    ISO/IEC 27001: 2022: Valid period 2024/9/7-2027/9/7
  • SYSTEX SOLUTIONS CORPORATION
    ISO 20000-1 (MOC Data Center): Valid period 2022/1/11-2025/1/11
    CNS 27001: 2023 (TAF): Valid period 2024/7/8-2027/7/8
    ISO/IEC 27001: 2022 (UKAS): Valid period 2024/7/8-2027/7/8
    ISO/IEC 27701: 2019: Valid period 2024/10/1-2027/7/8
  • TAIFON COMPUTER CO.
    ISO/IEC 27001: 2013 : Valid period 2024/1/6-2025/10/31
  • E-SERVICE INFORMATION Co.
    ISO/IEC 27001: 2022: Valid period 2024/9/12-2027/9/11
  • TAIWAN INFORMATION SERVICE TECHNOLOGY CO.
    CNS 27001: 2023 (ISO/IEC 27001: 2022) (TAF): Valid period 2023/7/2-2026/7/1
    ISO/IEC 27001: 2022 (DAKKS): Valid period 2023/7/2-2026/7/1
    ISO/IEC 27701: 2019 : Valid period 2023/7/2-2026/7/1
  • UNIXECURE CORPORATION
    ISO/IEC 27001: 2013 (TAF): Valid period 2023/6/3-2025/10/31
    ISO/IEC 27001: 2013 (UKAS): Valid period 2023/6/3-2025/10/31
    ISO/IEC 27701: 2019 : Valid period 2023/6/3-2025/10/31

SYSTEX continues to strengthen the Information Security management to ensure information security of data, systems, equipment and network, as well as regulatory compliance, customer rights and personal information protection. Next, the Information Security-related services launched by STSTEX Group will continue to be certified by ISO 27001, so as to improve the information security service capabilities.

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 114 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2023, SYSTEX employees have a total of 522 Information Security-related licenses and certificates..

114

2023 newly obtained Information Security Licenses of Employees

522

Cumulative Information Security Licenses and certificates of Employees

Dedicated Management Unit

In the face of information security promotion and risk management issues, SYSTEX has established the “Information Security Technology Department” in December 2023 as the dedicated information security management unit. The “Crisis Resolution Team for information security events” serves as the task organization unit under the Risk Management Committee, is responsible for regularly reporting the implementation effectiveness of information security to the Committee. Additionally, the “Information Security Taskforce Committee,” consisting of approximately 15 members, offers consulting and technical services to each BU of SYSTEX Group and provides information security education and training of information security management, having held a total of 12 meetings in 2023. In addition to the comprehensive SYSTEX Group’s information security management, the “Information Security Technology Department” also assists with information security and personal information incident handling for BUs that have introduced ISO 27001. Each BU that has implemented ISO 27001 has established its own information security management committee to create its information security implementation framework and formulate management plans.

SYSTEX holds regular meetings to check whether there has been Information Security incidents, assess the possible risks and negative impacts to propose improvement plans. Meanwhile, SYSTEX conducts risk assessments and related reviews every 6 months. In 2023, no high-risk projects were found through continuous risk assessment. The medium- and low-risk projects were handed over to relevant operating units according to the control adjustment, and were included in the subsequent tracking and reporting operations.

Incidents Solution Responsibility

Continue to assist the front-line unit in “Digital Forensics”, including digital evidence preservation, identification, collection, acquisition, examination, inspection and forensic analysis.

  • Assist the front-line units to collect digital evidence in the shortest time
  • Investigate and evaluate the scope and severity of personal information infringement incidents
  • Consider whether to invite external consultants and digital forensics experts to assist with solution processing
Information Security Management Mechanisms
Information Security Incidents

The security events occurred in 2023 have been blocked by the anti-virus system during user browsing, and no real landing attacks occurred; Or under the defense-in-depth security control mechanism, no event met the condition for internal activation of the crisis resolution. In 2023, no data leakage events have been identified.

Information Security Management Mechanisms
Major Incidents Solution Process

When a notification occurs, SYSTEX initiates a contingency operation to investigate the incident, confirm the impact and propose a solution, and then performs the recovery operations and records them.

Incidents Level

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates, totaling 114 newly obtained Information Security-related licenses and certificates (including ISO 27001, ISO 22301, CCSP, CISSP, CISM, CEH, and CND, etc. By the end of 2023, SYSTEX employees have a total of 522 Information Security-related licenses and certificates..

114

2023 newly obtained Information Security Licenses of Employees

522

Cumulative Information Security Licenses and certificates of Employees

Information Security Technology and Control
Customer Privacy and Data Protection

SYSTEX established personal data protection specifications and conducts personal Information Security incident drills every year to ensure the crisis resolution ability. Additionally, SYSTEX implements personal data protection management system, conducts a related protection audit and obtains BS 10012. All services provided by SYSTEX are also regulated by the “Information Security Confidentiality Agreement” and “SYSTEX Personal Data Protection Rules,” and sets dedicated privacy complaint email. As a result, no violations of customer privacy have been reported or identified in 2023.

To cope with the differences in the industry characteristics of each company, each of the affiliates has established its own related regulations according to the Personal Information Protection Act and the Information Security Management Act, to protect the rights and interests of customers. In 2023, a total of 7,834 To cope with the differences in the industry characteristics of each company, each of the affiliates has established its own related regulations according to the Personal Information Protection Act and the Information Security Management Act, to protect the rights and interests of customers. In 2023, a total of 7,834 persons passed the personal data protection advocacy test for employees.

Regular Crisis Resolution Drill

In order to enhance the crisis resolution ability, the “Information Security Technology Department” has formulated 5 types of drills and conducts each drill once or twice a year. In 2023, the 5 types of drills have been completed, more than 50 on-site supplier information security audits from customers have been carried out, and more than 700 external audit questionnaires have been completed. Taking social engineering drills as an example, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills was far lower than the standard of 8% and 6%, showing the improvement in IS awareness. At present, the Department has already completed the drill schedule of “social engineering drills, testing data center disaster prevention and vulnerability scanning” in 2024.

[Social Engineering Drills] In order to enhance employees’ awareness of E-mail safety, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills were far lower than the standard of 8% and 6%, showing the improvement of information security awareness.

  • [2023 H1] 4,549 test accounts: Malicious Email Open Rate 8% ; Malicious Email Click-through Rate 1.17%
  • [2023 H2] 4,770 test accounts: Malicious Email Open Rate 7.21% ; Malicious Email Click-through Rate 0.25%

[Data Center Disaster Prevention Drills] SYSTEX simulates the fire scenario in the data center as a testing data center drill, and makes corresponding responses, such as simulating evacuation to a sheltered staging site, reporting the disaster situation to the unit supervisor and crisis resolution team leader. In addition, the data center users will weekly conduct data center inspections for fire protection, temperature, monitors, etc., and fill in the inspection records on the management website, so as to count and manage the types and locations of abnormal security inspections.

2023 Performance

Item Frequency Target Detail
Social engineering Twice a year SYSTEX and its affiliates in Taiwan 2023.05
[H1]
  • Conduct a drill on 4,549 email accounts. Those who failed were arranged for information security education and training.
  • Malicious email open rate: 8%, passing the standard of  8%.*1
  • Malicious email click-through rate: 1.17%, passing the standard of  6%.*1
2023.11
[H2]
  • Conduct a drill on 4,770 email accounts. Those who failed were arranged for information security education and training.
  • Malicious email open rate: 7.21%, passing the standard of  8%.*1
  • Malicious email click-through rate: 0.25%, passing the standard of  6%.*1
Information security Twice a year SYSTEX information systems, websites and computers
  • 2023.04 Financial Business BI data leakage drill
  • 2023.10 Financial Business BI data leakage drill
Vulnerability scanning Twice a year SYSTEX information systems and websites
  • 2023.05 1st vulnerability scanning
  • 2023.11 2nd vulnerability scanning
Testing data center disaster prevention Twice a year All testing data centers
  • 2023.05 Data center fire drill
  • 2023.11 Data center fire drill
System recovery Once a year

All information systems

  • 26 system recovery drill, with an achieved rate of 100%

Note: The drill will be conducted in accordance with the provisions of the “Regulations on the Notification and Response of Cyber Security Incident” and the “Social Engineering Implementation Plan for Preventing Malicious Email”. 

Information Security Upgrade Plan

In 2023, SYSTEX continues to advance the “Group Information Security Improvement Program,” implementing projects including “SSDLC Construction,” “Upgrading of External Information Security Evaluation Ratings,” and “Enhancing the Complexity of Social Engineering Drills with a testing method of 3 Sample Drill Letters per person.” In addition, the “Information Security Technology Department” was established in 2023 as a specialized body with Information Security Specialized Personnel.

Information Security Training Courses

In order to strengthen employees’ awareness of information security, SYSTEX continues to carry out information security-related training courses in 2023.

  • Information Security advocacy and test for employees: a total of 7,818 persons were trained
  • Personal data protection and test for employees: a total of 7,834 persons were trained
  • Information Security online general course for employees (3 hours): a total of 4,339 persons were trained, with a total of 13,017 hours
  • Information Security online professional course for employees (9 hours): a total of 149 persons were trained, with a total of 1,341 hours
  • Information Security in-class seed-training course for employees (38 lessons): a total of 885 persons were trained, with a total of 10,893 hours

2023 advocacy and test for employees

7818

Information Security

7834

Personal Data Protection

2023 Information Security online general course for employees (3 hours)

4339
13017

2023 Information Security online professional course for employees (9 hours)

149
1341

2023 Information Security in-class seed-training course for employees (38 lessons)

852
10893