Information and Communication Security Management


IKKA Holdings(Cayman)Limited Taiwan Branch Obtained SGS ISO/IEC 27001:2022 version certificate in 2025, valid from 2/23/2025 to 2/23/2028.

Information Security Management for the Year 2025

I. Information Security Risk Management Framework

  • (1) The Administrative Department serves as the designated unit responsible for information security within the Company. It has appointed one Information Security Manager and one Information Security Officer, tasked with formulating the Company's information security policies, planning information security measures, executing relevant information security operations, and regularly reporting the status of the Company's information security governance to the Board of Directors. The most recent report was submitted on 28 January 2026.
  • (2) The Audit Office serves as the supervisory unit for information security oversight. This office employs an Audit Manager and dedicated audit personnel responsible for monitoring internal information security implementation. Should deficiencies be identified during audits, the audited units are immediately required to submit relevant improvement plans for submission to the Board of Directors. Progress on these improvements is regularly tracked to mitigate internal information security risks. Annual information systems audits conducted by certified public accountants will similarly require corrective actions for identified deficiencies, with subsequent tracking of improvement outcomes.

II. Information Security Policy

「The foundation of information development is security; security safeguards information operations.」
  • Strengthen the Company's information security management by establishing the principle that ‘security underpins information development; security safeguards information operations’. This ensures the confidentiality, integrity and availability of customer and staff data processing, thereby securing the entire data processing lifecycle and delivering secure, stable and highly efficient information services.

III. Specific Management Plan

  • (1). Computer Equipment Security Management
    1. The company's computer mainframes, application servers and other equipment are housed in dedicated server rooms. Access control systems with logging capabilities have been implemented at the entrances to these rooms, thereby mitigating the risk associated with easily replicable magnetic key fobs.
    2. The server room is equipped with an independent air conditioning system to maintain computer equipment within an appropriate temperature and humidity range (room temperature should be controlled between 26–28°C, humidity between 30%–80%) for optimal operation. CO₂ fire extinguishers are also provided, suitable for fires caused by general combustion or electrical equipment.
  • (2). Cybersecurity Management
    1. Strengthen network controls by deploying enterprise-grade firewalls at all external network access points to prevent unauthorised hacker intrusions.
    2. Staff accessing company intranet data via remote login must apply for a database VPN account. Access is permitted solely through the secure VPN protocol, with all usage logged for auditing purposes.
  • (3). Virus Protection and Management
    1. Endpoint protection software is installed on both servers and staff terminal computers, with virus definitions updated automatically to ensure the latest viruses are blocked. It also detects and prevents the installation of potentially threatening system executables.
    2. The email server is equipped with email antivirus and spam filtering mechanisms to prevent viruses or spam from reaching users' PCs.
    3. Upon detecting or intercepting viruses, the anti-virus system immediately quarantines or removes them. It also proactively generates risk reports for infected or compromised computers, enabling administrators to take appropriate countermeasures.
  • (4). System Access Control
    1. Staff members' access to application systems shall be granted through the company's internal system permission application procedure. Following approval by the responsible supervisor, the information security officer shall commission an external vendor to create system accounts. Access shall only be granted in accordance with the requested functional permissions.
    2. Password settings must meet specified strength and length requirements, incorporating a mix of alphanumeric characters and special symbols to be approved.
    3. Upon completing resignation or retirement procedures, employees must coordinate with the Administration Department to arrange for the deletion of all relevant system accounts.
  • (5). Ensure the system's sustainable operation
    1. System Backup: Establish a remote backup system employing a daily backup mechanism. In addition to uploading one copy to the remote backup location, both the system and database shall retain one copy each within the computer room to ensure absolute security.
    2. Disaster Recovery Drills: Each system undergoes an annual drill. Following the selection of a restore date baseline, data is restored from backup media onto the system host. The user department then provides written confirmation of the restored data's accuracy, thereby verifying the correctness and effectiveness of the backup media.
  • (6). Cybersecurity Awareness and Training
    1. Regular awareness sessions: All staff members shall receive no fewer than three hours of information security incident awareness training annually.
    2. Seminar-based training: Information security-related educational training courses shall be delivered to internal staff members at irregular intervals throughout the year.
  • (7). The information security officers and personnel of our company have joined the Information Software Association of the Republic of China. Through interaction and exchange within the Chief Information Security Officers' networking group, they are acquiring further relevant knowledge and experience.

IV. Resources allocated to information security management

To implement our information security policy, the company has allocated resources as follows:

  • (1). Network hardware equipment such as firewalls, managed network switches, application visibility and control Wi-Fi devices, email antivirus, spam filtering, and web usage analytics.
  • (2). Software systems including Active Directory domain controllers, backup management software, VPN authentication with logging and monitoring capabilities, identity management and security functions, information protection and access control mechanisms.
  • (3). Telecommunications services such as intrusion prevention services and intrusion detection services.
  • (4). Manpower investment: Outsourced vendors responsible for system status checks, monthly backups with off-site media storage, annual disaster recovery drills, cybersecurity awareness training, and coordination with internal audits, accountants' information cycles, and external verification bodies.
  • (5). Cost allocation: Outsourced vendor maintenance fees, verification consultancy fees, and external verification fees amounting to approximately NT$500,000–550,000.
  • (6). Information security personnel: Appointment of one Information Security Manager and one Information Security Officer, totalling two personnel. Responsibilities include information security architecture design, information security operations and monitoring, information security incident response and investigation, and information security policy review and revision.

V. 2026 Annual Work Plan

The Taiwan branch commenced implementation of the ISO 27001 Information Security Management System standard procedures in 2024. It obtained the SGS ISO/IEC 27001:2022 certification in February 2025, valid from 23 February 2025 to 23 February 2028. The follow-up audit was successfully completed on 8 January 2026.