Information and Communication Security Management


IKKA Holdings(Cayman)Limited Taiwan Branch Obtained SGS ISO/IEC 27001:2022 version certificate in 2025, valid from 2/23/2025 to 2/23/2028.

1、 Information and Communications Security Risk Management Framework

  1. The responsible unit for information security of our company is the Administration Department, which has 1 information security supervisor and 1 information security personnel. They are responsible for formulating the company's information security policy, planning information security measures, and executing related information security operations, and reporting to the company regularly. The board of directors reports on the company's information security governance, with the latest report date being December 25, 2024.
  2. The company's audit department is the supervisory unit for information security supervision. The department has audit supervisors and full-time audit personnel who are responsible for supervising the implementation of internal information security. If the audit finds deficiencies, the audited unit will be immediately required to propose relevant improvement plans and report them to the board of directors. Regularly track improvement results to reduce internal information security risks. Accountants conduct information operation audits every year. If any deficiencies are found, they will request improvement measures and track the improvement results.

2、 Information Security Policy

「The foundation of information development is security; security is the guarantee of information operations」
  • Strengthen the company's information security management, establish the concept of "security is the foundation of information development; security is the guarantee of information operation", ensure the confidentiality, integrity and availability of customer and colleague data processing, and make the company's data processing safe throughout the process. Obtain security guarantee and provide safe, stable and efficient information services.

3、 Institutional Management Program

  1. Computer equipment security management
    1. The company's computer host, application servers and other equipment are all installed in a dedicated computer room. The computer room access control uses induction card swipe to enter and exit, and the entry and exit records are kept for inspection.
    2. The computer room is equipped with independent air conditioning to maintain the computer equipment in an appropriate temperature environment; and chemical fire extinguishers are placed to deal with general fires or fires caused by electrical appliances.
  2. Network Security Management
    1. Strengthen network control, configure enterprise-level firewalls at the entrance to the external network to prevent illegal intrusion by hackers.
    2. Colleagues who log into the company's intranet remotely to access data must apply for a database VPN account and log in through the secure VPN. Usage records are kept for audit.
  3. Virus protection and management
    1. Endpoint protection software is installed on servers and employee terminal computers. The virus code is automatically updated to ensure that the latest viruses can be blocked. At the same time, it can detect and prevent the installation of potentially threatening system executable files.
    2. The email server is equipped with anti-virus and spam filtering mechanisms to prevent viruses or spam from entering the user's PC.
    3. The antivirus system will not only immediately isolate or delete the viruses that are detected or intercepted, but will also proactively issue risk reports on infected and at-risk computers to help administrators take appropriate action.
  4. System access control
    1. The use of each application system by colleagues is subject to the system permission application procedure stipulated by the company. After approval by the responsible supervisor, the information security personnel will ask the outsourcing vendor to establish a system account and authorize the requested functional permissions. access.
    2. The password setting for the account must have an appropriate strength and number of characters, and must contain a mixture of alphanumeric characters and special symbols to be passed.
    3. When colleagues go through the resignation (retirement) procedures, they must go through the administrative department to delete the accounts in each system.
  5. Ensure the continuous operation of the system
    1. System backup: Establish an offsite backup system and adopt a daily backup mechanism. In addition to uploading a copy of the system and database to the offsite backup, a copy is stored in the computer room to ensure absolute safety.
    2. Disaster recovery drills: Each system conducts a drill once a year. After selecting a restoration date reference point, the backup media is restored to the system host, and the user unit then confirms the correctness of the restored data in writing to ensure the correctness and effectiveness of the backup media.
  6. Information security promotion and education training
    1. Regular promotion: Enforce colleagues to change system passwords regularly to maintain account security.
    2. Lectures and Promotion: We conduct information security-related education and training courses for internal colleagues at irregular intervals every year.
  7. Our company's information security supervisors and personnel have joined the Taiwan Information Software Association and have learned more relevant new knowledge and experience through interactive exchanges at the Information Security Chief Association.

4、 Investing resources in information security management

  • In order to implement the information security policy, our Taiwan branch signed a contract with a professional outsourcing company on November 1, 2024 for the reconfiguration of the computer room and regular maintenance of information. The reconfiguration of the computer room to improve and upgrade the current information equipment requires the investment of new NT$250,000, and requires the following information security control matters to be maintained and assist in the introduction of the ISO27001 (ISMS) framework. A monthly maintenance fee of NT$25,000 is required, with a total investment of NT$550,000 to comply with the control of information security inspections. :
  1. Network hardware such as firewalls, managed network switches, application visibility and control Wifi devices, email antivirus, spam filtering, online behavior analysis, etc.
  2. Software systems such as Active Directory domain controller, backup management software, VPN authentication and logging and monitoring functions, identity management and security functions, information protection and access control mechanisms.
  3. Telecommunication services such as intrusion protection clothing, intrusion detection services, etc.
  4. Human resources are invested, such as daily system status checks, weekly regular backups and offsite storage of backup media, annual information security education courses, annual system disaster recovery execution drills, annual internal audits of information cycles, and CPA audits.
  5. Information security manpower: Appoint two personnel, one information security supervisor and one information security staff, to be responsible for information security architecture design, information security maintenance and monitoring, information security incident response and investigation, and information security policy review and revision.
  6. On December 10, 2024, a ICT security management review meeting was held to confirm the feasibility of the ICT security maintenance plan to ensure effectiveness in implementation.