Information Security Policy and Management

As a leading enterprise in Taiwan’s information service industry, SYSTEX attaches great importance to the protection of stakeholders, and resolves the IS risk and personal privacy issues. In accordance with ISO 27001 and other IS-related ISO standards, we integrate internal cross-divisional information capability to establish the “IS Protection Team” and set up a IS management system. The IS Protection Team is responsible for promoting IS management policies, related rules and actions, implementing IS-related training courses.

In terms of customer right protection, SYSTEX provides a complete information service procedure for the provision, construction, management and operation, etc. The services provided by SYSTEX are regulated by the “Information Security Confidentiality Agreement” and have an “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been identified in 2021.

To ensure that the IS management mechanism in complied with international standards. We, SYSTEX Group, have passed and received the 3rd-party IS-related and quality-related ISO certifications including ISO 27001, ISO 9001, ISO 22301 and BS 10012. [SYSTEX: ISO 9001, ISO 27001 (DMIS、Data Center), ISO 22301 and BS 10012; SYSTEX SOFTWARE & SERVICE CORPORATION: ISO 27001; SYSPOWER: ISO 27001; CONCORD SYSTEM MANAGEMENT: ISO 27001; SYSTEX SOLUTIONS: ISO 27001; TAIFON COMPUTER: ISO 27001; TAIWAN INFORMATION SERVICE TECHNOLOGY: ISO 27001] At the same time, we continuous to strengthen the IS management to ensure information security of data, systems, equipment and network, as well as regulatory compliance, customer rights and personal information protection. Next, the IS-related services launched by STSTEX Group will continue to be certified by ISO 27001, so as to improve the information security service capabilities.

 

Information Security Management Mechanisms

 

Information Security Incidents

The security events occurred in 2021 have been blocked by the anti-virus system during user browsing, and no real landing attacks occurred; Or under the defense-in-depth security control mechanism, no event met the condition for internal activation of the crisis resolution. In 2021, no data leakage events have been identified.

Major Incidents Solution Process

When a notification occurs, SYSTEX initiates a contingency operation to investigate the incident, confirm the impact and propose a solution, and then performs the recovery operations and records them.

External Audits

In line with ISO 27001 standards, SYSTEX constructs the confidentiality, integrity and availability of IS system, ensuring the efficiency of IS risk management. SYSTEX not only conducts company-level ISO certifications, but also actively encourages employees to learn more and obtain IS-related certificates. As a result, we accumulated a total of 392 ISO certificates.

Customer Privacy and Data Protection

SYSTEX established personal data protection specifications and conducts personal IS incident drills every year to ensure the crisis resolution ability. Additionally, SYSTEX implements personal data protection management system, conducts a related protection audit and obtains BS 10012. All services provided by SYSTEX are also regulated by the “Information Security Confidentiality Agreement” and “E-commerce Processing of Personal Data”. As a result, no violations of customer privacy have been identified in 2021.

 

Regular Crisis Resolution Drill

In order to enhance the crisis resolution ability, the “Crisis Resolution Team of IS Protection” has set up 5 types of drills and conducts one or two drills of each type every year. In 2021, the 5 types of drills have been completed, more than 20 external on-site audits have been conducted, and 145 responses to external audit questionnaires have been completed.

Taking social engineering drills as an example, SYSTEX conducts drills twice a year. As a result, the malicious email CTR of the 2 drills were far lower than the pass rate of 6%, showing the improvement of IS awareness. At present, the team has already completed the drill schedule of “social engineering drills, testing data center disaster prevention and vulnerability scanning” in 2022.

Another example is testing data center disaster prevention drills. SYSTEX simulates the fire scenario in the data center as a testing data center drill, and makes corresponding responses, such as simulating evacuation to a sheltered staging site, reporting the disaster situation to the unit supervisor and crisis resolution team leader. In addition, the data center users will weekly conduct data center inspections for fire protection, temperature, monitors, etc., and fill in the inspection records on the management website, so as to count and manage the types and locations of abnormal security inspections.

IS Upgrade Plan

In 2021, SYSTEX continued to promote the “IS Upgrade Plan”, including “outlook email system upgrade, SOC defense upgrade and construction of own SESC email protection” to improve information security protection capabilities.

Item Detail
Upgrade the Group outlook email system
  • Provide high security and large-capacity mailboxes to improve employee productivity
  • Upload all emails to the cloud via Office 365 for SYSTEX Group Taiwan employees
  • Complete the construction of the Exchange Hybrid Deployments architecture and the host Exchange Server 2016 for SYSTEX Group in Taiwan
Upgrade Cyber Center defense
  • 94% of the network devices of the SYSTEX Group have been imported into Cyber Center defense
Construct the own SESC email protection
  • Strengthen the detection capability of “Business Email Compromise”
  • Complete to introduce SESC to 14 affiliates of the SYSTEX Group and continue to introduce it to the whole Group

The Crisis Resolution Team for IS protection is responsible for information security risks and supporting the resolution of IS and personal info. incidents. Meanwhile, each business unit that has introduced ISO 27001 has set up an IS Task Force Committee to provide consultancy, technical services and IS training courses, establish an information security risk management framework, and formulate information security policies and specific management plans.

The IS Protection Team holds regular meetings to check whether there has been IS incidents, assess the possible risks and negative impacts to propose improvement plans. SYSTEX conducts risk assessments and related reviews every 6 months. In 2021, no high-risk projects were found through continuous risk assessment. Meanwhile, the mid- and low-risk projects were handed over to the relevant operating units for processing, and were included in the follow-up tracking and reporting operations.

Incidents Solution Responsibility

Continue to assist the front-line unit in “Digital Forensics”, including digital evidence preservation, identification, collection, acquisition, examination, inspection and forensic analysis.

  • Assist the front-line units to collect digital evidence in the shortest time
  • Investigate and evaluate the scope and severity of personal information infringement incidents
  • Consider whether to invite external consultants and digital forensics experts to assist with solution processing

 

In order to strengthen employees’ awareness of information security, SYSTEX continues to carry out information security-related training courses in 2021.

  • Information Security advocacy and test for employees: a total of 6,742 people were trained
  • Information Security online general course for employees: a total of 3,486 people were trained, with a total of 10,458 hours
  • Information Security online professional course for employees: a total of 375 people were trained, with a total of 3,375 hours
  • Information Security in-class seed-training course for employees: a total of 1,135 people were trained, with a total of 15,503 hours