Security Policy
Our company is committed to maintaining the security of its operational environment and serving its clients with the utmost dedication. Beyond implementing essential information security controls, we aim to ensure the security of all data and processing activities. We continuously strengthen information security management to enhance the confidentiality, integrity, and availability of critical personal and transactional information, thereby improving the quality of our services. The following outlines our information security declaration:
-
Organizational Commitment
An appropriate organization is established to implement information security management, ensuring compliance with applicable laws and regulations and maintaining the regular operation of the information security management system. -
Work Assignment and Segregation of duties
Job assignments should consider the division of responsibilities, and
duties must be clearly defined to prevent unauthorized modification or
misuse of information or services. -
Employee Responsibilities
All personnel utilizing company information to provide services or execute project work are responsible for protecting the company’s information assets. This includes preventing unauthorized access, modification, destruction, or inappropriate disclosure. -
Customer Data Protection
All personnel are obligated to protect customer information, including transactional and basic data. Unauthorized access, use, or disclosure to unrelated colleagues, vendors, or other customers is strictly prohibited. -
Physical Security
Strengthen the physical security of IT environments, such as data center
access control, air conditioning, to prevent unauthorized access,
damage, or accidental disasters that could disrupt operations. -
Network Security
Employees are prohibited from connecting external networks to the internal network without authorization. Necessary security measures must be in place to safeguard internal and external network communications. -
System Development Security
Security mechanisms should be considered during the initial phases of system development. For outsourced development, security controls and contractual requirements must be strengthened. System development, modification, and deployment must comply with and adhere to information security management standards. -
Information Security Event Reporting
All personnel must remain vigilant to potential security events,
vulnerabilities, and violations of the information security management
system or procedures and report them promptly in accordance with
established protocols. -
Business Continuity Planning
A business continuity plan must be established based on operational needs, tested regularly, and maintained to ensure its applicability. -
Information Security Objectives
Information security objectives are developed based on the security policy and organizational responsibilities, reviewed by the Information Security Committee, and implemented accordingly. -
These objectives must address confidentiality, integrity, and availability, aligning with the requirements of the security policy.
-
Policy Review
This policy is reviewed at least annually by the highest-ranking officer of the company’s information security organization to ensure alignment with the latest laws, technology, and business developments, maintaining the effectiveness of information security practices. -
Compliance
Matters not covered by this policy are governed by applicable laws and company regulations. -
Approval and Amendments
This policy is implemented with the approval of the Chief Information Security Officer (CISO). Amendments follow the same approval process.