Information Security Policy and Management

GRI 2-23, 418-1;
SASB TC-SI-220, 230, 550
Information Security Policy and Management

As a leading enterprise in Taiwan’s IT service industry, SYSTEX attaches great importance to the protection of stakeholders, and resolves the Information Security risk and personal privacy issues. In accordance with ISO 27001 and other Information Security-related ISO standards, we integrate internal cross-divisional information capability to establish the “Information Security Protection Team” and set up a Information Security management system. The Information Security Protection Team is responsible for formulating the “SYSTEX Information Security Policy“, Information Security Management Measures, and other Information Security-related regulations, ensuring the implementation of Information Security-related rules and regulations, Information Security-related training courses, and Information Security-related control and defense actions.

In terms of customer right protection, SYSTEX provides a complete IT service procedure for the provision, construction, management and operation, etc. The services provided by SYSTEX are regulated by the “Information Security Confidentiality Agreement” and have an “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been identified in 2022. Meanwhile, SYSTEX did not receive any requests for customer information from government or law enforcement agencies in 2022.

Information Security Management Structure

To ensure that the Information Security management mechanism in complied with international standards. We, SYSTEX Group, have passed and received the 3rd-party Information Security-related and quality-related ISO certifications.

  • SYSTEX CORPORATION
    .ISO 9001: Valid period-2021/12/12~2024/12/11
    .ISO 22301: Valid period-2023/5/24~2026/5/23
    .ISO 27001 (DMIS): Valid period-2022/1/1~2024/12/31
    .ISO 27001 (Data Center): Valid period-2021/5/3~2024/5/2
    .ISO 27001 (Electronic Invoice System): Valid period-2022/7/8~2025/7/7
    .BS 10012: Valid period-2021/1/29~2024/1/30
  • SYSTEX SOFTWARE & SERVICE CORPORATION
    .ISO 27001: Valid period-2020/8/25~2023/8/25
  • SYSPOWER CORPORATION
    .ISO 27001: Valid period-2020/8/28~2023/8/27
  • CONCORD SYSTEM MANAGEMENT CORP.
    .ISO 27001: Valid period-2021/9/7~2024/9/7
  • SYSTEX SOLUTIONS CORPORATION
    .ISO 20000-1: Valid period-2022/1/11~2025/1/11
    .ISO 27001 (MOC Data Center): Valid period-2023/6/3~2025/10/31
    .ISO 27701: Valid period-2022/1/6~2025/1/6
  • TAIFON COMPUTER CO.
    .ISO 27001: Valid period-2021/1/6~2024/1/5
  • TAIWAN INFORMATION SERVICE TECHNOLOGY CO.
    .ISO 27001: Valid period-2023/7/2~2025/10/31
    .ISO 27701: Valid period-2023/7/2~2025/10/31
  • UNIXECURE CORPORATION
    .ISO 27001: Valid period-2023/6/3~2025/10/31
    .ISO 27701: Valid period-2023/6/3~2025/10/31

SYSTEX continues to strengthen the Information Security management to ensure information security of data, systems, equipment and network, as well as regulatory compliance, customer rights and personal information protection. Next, the Information Security-related services launched by STSTEX Group will continue to be certified by ISO 27001, so as to improve the information security service capabilities.

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates such as ISO 9001, ISO 20000-1, ISO 27001, ISO 27701, ISO 22301, BS 10012, CISSP, CSSLP, CISM, EDRP, CEH, and CFHI. As a result, SYSTEX accumulated a total of 501 Information Security-related licenses and certificates as of the end of 2022.

154
2022 Newly Obtained Information Security Licenses of Employees
501
Cumulative Information Security Licenses and certificates of Employees
Dedicated Management Unit

The Crisis Resolution Team for Information Security protection is responsible for information security risks and supporting the resolution of Information Security and personal info. incidents. Meanwhile, each business unit that has introduced ISO 27001 has set up an Information Security Task Force Committee to provide consultancy, technical services and Information Security training courses, establish an information security risk management framework, and formulate information security policies and specific management plans.

The Information Security Protection Team holds regular meetings to check whether there has been Information Security incidents, assess the possible risks and negative impacts to propose improvement plans. SYSTEX conducts risk assessments and related reviews every 6 months. In 2022, no high-risk projects were found through continuous risk assessment. Meanwhile, the mid- and low-risk projects were handed over to the relevant operating units for processing, and were included in the follow-up tracking and reporting operations.

Incidents Solution Responsibility

Continue to assist the front-line unit in “Digital Forensics”, including digital evidence preservation, identification, collection, acquisition, examination, inspection and forensic analysis.

  • Assist the front-line units to collect digital evidence in the shortest time
  • Investigate and evaluate the scope and severity of personal information infringement incidents
  • Consider whether to invite external consultants and digital forensics experts to assist with solution processing
Information Security Management Mechanisms
Information Security Incidents

The security events occurred in 2022 have been blocked by the anti-virus system during user browsing, and no real landing attacks occurred; Or under the defense-in-depth security control mechanism, no event met the condition for internal activation of the crisis resolution. In 2022, no data leakage events have been identified.

Information Security Management Mechanisms
Major Incidents Solution Process

When a notification occurs, SYSTEX initiates a contingency operation to investigate the incident, confirm the impact and propose a solution, and then performs the recovery operations and records them.

Incidents Level

Licenses and Certificates

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of Information Security system, ensuring the efficiency of Information Security risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain Information Security-related certificates such as ISO 9001, ISO 20000-1, ISO 27001, ISO 27701, ISO 22301, BS 10012, CISSP, CSSLP, CISM, EDRP, CEH, and CFHI. As a result, SYSTEX accumulated a total of 501 Information Security-related licenses and certificates as of the end of 2022.

154
2022 Newly Obtained Information Security Licenses of Employees
501
Cumulative Information Security Licenses and certificates of Employees
Information Security Technology and Control
Customer Privacy and Data Protection

SYSTEX established personal data protection specifications and conducts personal Information Security incident drills every year to ensure the crisis resolution ability. Additionally, SYSTEX implements personal data protection management system, conducts a related protection audit and obtains BS 10012. All services provided by SYSTEX are also regulated by the “Information Security Confidentiality Agreement” and “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been reported or identified in 2022.

Regular Crisis Resolution Drill

In order to enhance the crisis resolution ability, the “Crisis Resolution Team of Information Security Protection” has set up 5 types of drills and conducts one or two drills of each type every year. In 2022, the 5 types of drills have been completed, more than 40 external on-site audits have been conducted, and more than 400 responses to external audit questionnaires have been completed.

[Social Engineering Drills] In order to enhance employees’ awareness of E-mail safety, SYSTEX conducts drills twice a year. As a result, the malicious email click-through rate of the 2 drills were far lower than the standard of 8% and 6%, showing the improvement of IS awareness.

  • [2022 H1] 4,356 test accounts: Malicious Email Open Rate 7.78% ; Malicious Email Click-through Rate 0.51%
  • [2022 H2] 4,451 test accounts: Malicious Email Open Rate 4.85% ; Malicious Email Click-through Rate 0.09%

[Data Center Disaster Prevention Drills] SYSTEX simulates the fire scenario in the data center as a testing data center drill, and makes corresponding responses, such as simulating evacuation to a sheltered staging site, reporting the disaster situation to the unit supervisor and crisis resolution team leader. In addition, the data center users will weekly conduct data center inspections for fire protection, temperature, monitors, etc., and fill in the inspection records on the management website, so as to count and manage the types and locations of abnormal security inspections.

2022 Performance

Information Security Upgrade Plan

SYSTEX continued to promote the “Information Security Upgrade Plan” in 2022, including “introduction of intrusion detection and defense systems, comprehensive import and update of credentials, and 46 website vulnerability scanning operations” to improve information security protection capabilities. At present, the team has already completed the drill schedule of “social engineering drills, testing data center disaster prevention and vulnerability scanning” in 2023.

Information Security Training Courses

In order to strengthen employees’ awareness of information security, SYSTEX continues to carry out information security-related training courses in 2022.

  • Information Security advocacy and test for employees: a total of 7,200 people were trained
  • Personal data protection and test for employees: a total of 7,191 people were trained
  • Information Security online general course for employees (3 hours): a total of 3,867 people were trained, with a total of 11,601 hours
  • Information Security online professional course for employees (9 hours): a total of 237 people were trained, with a total of 2,133 hours
  • Information Security in-class seed-training course for employees (26 lessons): a total of 874 people were trained, with a total of 9,278 hours
7200
2022 Information Security Advocacy and Test for Employees
3867
2022 Trainees of Information Security Online General Course for Employees
237
2022 Trainees of Information Security Online Professional Course for Employees
874
2022 Trainees of Information Security In-class Seed-training Course for Employees
7191
2022 Personal Data Protection Advocacy and Test for Employees
11601
2022 Training Hours of Information Security Online General Course for Employees
2133
2022 Training Hours of Information Security Online Professional Course for Employees
9278
2022 Training Hours of Information Security In-class Seed-training Course for Employees