Information Security Risk Management
To maintain customer information security and implement information risk management, and to meet the service requirements for system security urgency, immediacy, and thoroughness, SKS's 24-hour control center has passed ISO 9001 Quality Management System Certification and ISO 27001 Information Security Management Certification. The Company follows the NIST framework principles of Identify, Protect, Detect, Respond, and Recover to ensure the confidentiality and security of information and to prevent information attacks.
Additionally, SKS has established the Information Systems and Related Equipment Disaster Recovery Plan. This establishes preventive measures and recovery plans for incidents such as power system faults, communication line failures, host equipment and system damage, malware intrusions, hacker break-ins, and human factors. Disaster recovery drills are held periodically, and important data is backed up and stored off-site to protect customer data and maintain normal information management operations, thereby providing secure and efficient customer services.
Taiwan Shin Kong Security Co., Ltd., President
ISO 9001 & ISO 27001 Certifications
In 2024, there were no information security incidents that had a material impact on the Company's finances, involved data breaches, or affected customer trade secrets or personal information.
Risk Management Structure of Information Security
SKS has established the Information Security Promotion Committee to review and promote matters related to information security management. They report regularly to the Board of Directors on the Company’s overview of information security governance. The latest report date is December 12, 2024.
The Information Security Promotion Committee has a management representative who is also the chairman of the Committee. This role is filled by the Chief Information Security Officer. The Committee members are the heads of implementation and supporting units, and internal and external experts and consultants may be appointed for assistance in accordance with the Company's operational and management needs.
Additionally, the Information Security Working Team, formed of information security representatives from each department, is established under the Information Security Promotion Committee to oversee the planning and implementation of information security operations. The Information Security Audit Team is also established to be in charge of formulating and implementing the internal (including subsidiaries) and supplier audit plans for information security, and tracking the implementation of deficiencies.
Information Security Policy
Establish awareness of information security among all employees, and maintain the confidentiality, integrity and availability of customer information through operational management and technical means, to ensure the privacy of customer information, enhance the security of corporate and supply-chain information, and ensure public trust, thereby strengthening SKS’s brand value.
Comply with regulations on information security management, and provide appropriate protection measures for our information assets, to ensure their confidentiality, integrity, availability and legal compliance.
Regularly evaluate the impact of all artificial and natural disasters on our information assets, and formulate disaster prevention and recovery plans for our critical information assets and business-critical operations, to ensure the continuity of our business operations.
Supervise employee implementation of information security protection, establish the concept of “information security is everyone’s responsibility”, and raise awareness of information security among all departments and personnel.
Require all employees and vendors connected to the Company’s information and communication system or providing services to comply with SKS's information security-related regulations. In case of violations, penalties will be imposed in accordance with the SKS regulations and contracts, depending on the circumstances, and serious cases will be subject to legal action.