ESG
Information Security Statement
Kway Information Co., Ltd. (hereinafter referred to as “the Company”) has established this Information Security Policy to strengthen information security management and safeguard the Company’s assets—including information, software, hardware, technical services, and personnel—against external threats or improper internal management and use that may result in tampering, disclosure, destruction, or loss.
This policy ensures that the confidentiality, integrity, availability, accountability, and security requirements of the Company’s data, systems, equipment, and network assets are met, and serves as a basis for compliance.
Information Security Policy Commitments
- Governance Structure – Establish an Information Security Steering Committee, Information Security Implementation Task Force, and Information Security Audit Team to ensure the effectiveness of the Company’s information security management operations.
- Asset Management and Risk Control – Maintain an inventory of information assets, conduct risk assessments, and implement control measures to effectively mitigate risks that exceed acceptable levels.
- Responsibilities and Obligations – All employees, contractors, outsourced vendors and their subcontractors, as well as visitors, who use the Company’s information resources to provide services or perform related tasks, are responsible for safeguarding the information assets they obtain or use, preventing unauthorized access, tampering, destruction, or improper disclosure.
- Business Continuity – Develop a Business Continuity Plan (BCP), conduct regular drills, and adjust and update the plan continuously in alignment with business development and organizational changes.
- Secure IT Environment – Establish a safe and reliable information system environment to ensure the Company’s sustainable business operations.
- Confidentiality of Customer Data – Treat all customer and member information as business confidential data; personnel handling such information must adhere to their authorized permissions and not exceed them.
- Compliance and Awareness – All Company personnel must comply with legal requirements and the Company’s information security policies. Supervisors are responsible for overseeing policy implementation and reinforcing employees’ awareness of information security and regulatory compliance.
- Continuous Improvement – Information security is the shared responsibility of all personnel. Through ongoing review and improvement, the Company will ensure that its information security framework continues to evolve and strengthen.
Information Security Objectives
(1) Core Objectives
The Company is committed to safeguarding the confidentiality, integrity, and availability of its information assets, as well as protecting customer data privacy. Through the joint efforts of all employees, the following objectives are pursued:
(1) Core Objectives
The Company is committed to safeguarding the confidentiality, integrity, and availability of its information assets, as well as protecting customer data privacy. Through the joint efforts of all employees, the following objectives are pursued:
- Protect business information from unauthorized access or modification to ensure its accuracy and integrity.
- Establish a dedicated information security organization responsible for formulating, promoting, implementing, evaluating, and improving information security management, thereby ensuring a secure environment that supports uninterrupted business operations.
- Conduct information security education and training to raise employee awareness and reinforce their understanding of related responsibilities.
- Implement an information security risk assessment mechanism to enhance the effectiveness and timeliness of information security management.
- Enforce an internal information security audit system to ensure proper implementation of information security management practices.
- Ensure all business activities comply with applicable laws and regulations.
(2) Measurement and Review
Information security performance indicators shall be measured according to the planned schedule to verify their effectiveness, reviewed and approved during management review meetings, and examined or revised at least once annually.
Information security performance indicators shall be measured according to the planned schedule to verify their effectiveness, reviewed and approved during management review meetings, and examined or revised at least once annually.
Specific Management Measures:
- This policy shall be evaluated at least once a year to reflect the latest developments in government regulations, technology, and business operations, ensuring the effectiveness of practical information security measures.
- The policy takes effect upon issuance and shall be communicated in written, electronic, or other appropriate forms to employees, contractors, outsourced vendors, and their subcontractors.
- All departments must strictly comply with this policy. Any confirmed violation will be handled in accordance with relevant regulations, considering the severity of the incident.
Implementation Status
1. Information Security Governance:
- Appointment of one Information Security Officer and one Information Security Specialist.
- Convening two Information Security Implementation Task Force meetings annually to review and approve security-related policies for submission to top management.
- Annual execution of information security training, phishing simulation exercises, and business impact analysis drills.
- Participation in the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC) incident reporting and information sharing mechanism.
2. Self-Assessment:
- The 2024 (Year 113) internal self-assessment was completed on June 6, 2025 (Year 114), with a follow-up internal audit scheduled for completion by July 31, 2025.
3. Certification:
- The Company obtained ISO/IEC 27001:2013 Information Security Management Systems certification on August 26, 2022 (Year 111), valid until August 25, 2025 (Year 114).