Privacy protection and information security
SDGs:
-
GOOD HEALTH AND WELL-BEING
3
-
DECENT WORK AND ECONOMIC GROWTH
8
-
RESPONSIBLE CONSUMPTION AND PRODUCTION
12
-
PARTNERSHIPS FOR THE GOALS
17
One of the key characteristics of the department store industry is the large and diverse customer base. As of December 2023, SKM has amassed 3.55 million members. The vast amount of data from customer purchase and vendor transactions require stringent protection. In response to our growing number of department stores and expanding scale, SKM established a dedicated information security unit in 2023, meticulously adhering to domestic laws and policies regarding data collection, access, and usage. Following guidelines set forth by competent authorities, we formulated the SKM Personal Information Protection & Management Guidelines, which were approved and implemented by the board of directors.
Information Security Project Organization
SKM has around 3.55 million members. Our large amount of consumer data and company transaction data must be strictly protected. Since we value information security, we have set up the "chief security officer" position and relevant special units as early as 2018 based on FSC's "Regulations Governing Establishment of Internal Control Systems by Public Companies" amended at the end of 2021, taking the lead in the department store industry. To effectively and comprehensively handle the security situation of SKM, we hold at least one information security review meeting every year and monthly security control meetings to present information security reports and review the strategies and performance of information security management. The chief security officer is the convener of the security control meeting , and the members are the directors of each unit. In addition, we have set up different teams with different duties to promote the information security system.
SKM Information Security Governance Framework
The Department of Security and Surveillance completed the Cybersecurity Advancement Framework on August 5, 2019. Since then, the department has reviewed and amended the framework annually to ensure a robust information security protection mechanism at SKM. In addition, SKM amended security management procedures for outsourced services in 2021, requiring all information-related vendors to add the revised Confidentiality Agreement and Information Security Agreement to existing contracts as part of efforts to regulate the responsibilities and obligations of SKM and suppliers in information security.
To enhance system resilience and strengthen SKM's information security framework, we have continued to implement key management measures. These include updating practices to align with the revised ISO 27001 Information Security Management System and ISO 27701 Privacy Information Management System, providing ongoing education and training on information security, conducting phishing email (social engineering) drills, and performing both internal and external audits. Additionally, we have carried out personal data inventories and risk evaluation training to mitigate the risk of data breaches.
As of 2024, the scope of ISO 27001 and ISO 27701 certification now includes the headquarters and 15 stores. This aims to further enhance and fully implement information security management, customer privacy, and personal data protection, creating a trustworthy and secure shopping environment for customers.
.png)
Eight Guidelines for Information Security Progress
Adopt international information security standards
Maintain external consultants
Promote SKM’s information security policies
Established internal organizations for information security & risk management
Formulated emergency response guidelines for information security incidents
Improve external information security tests and offense / defense exercises
Maintain employees’ information security defense capabilities
Assess information security insurance
Outcomes from Annual Audit & Security Protection
To achieve sustainable operations, SKM established an information security organization, compiled information security policies, and developed an information security system. Every year, SKM compiles an annual audit plan, creates an Information Security Audit Checklist, and works with an external third-party organization to conduct comprehensive assessment. We strive to ensure that we are effectively enforcing existing information security and customer privacy management systems or responding immediately to potential risks and leaks with corrective measures in compliance with internal information security management standards and regulatory requirements. The goal is to safeguard data, information systems, equipment, and networks to ensure normal operations and prevent any internal or external incidents or threats. This commitment aims to safeguard and protect consumers, employees, and partner vendors.
2024 Information Securtiy Audits Implementation
Internal Audits
- June 2024: Commissioned KPMG Advisory Services to conduct the annual internal ISO 27001 and ISO 27701 audit
External Audits
- July 2024: SGS Taiwan conducted the annual ISO 27001 and ISO 27701 verification
2022-2024 Audit Results
| Year | Internal Audits | External Audits |
|---|---|---|
| 2022 | Uncovered 0 secondary deficiency(ies), 14 item(s) for further monitoring, and 7 recommendation(s) | Uncovered 1 secondary deficiency(ies), 11 item(s) for further monitoring, and 0 recommendation(s) |
| 2023 | Uncovered 0 secondary deficiency(ies), 24 item(s) for further monitoring, and 19 recommendation(s) | Uncovered 1 secondary deficiency(ies), 18 item(s) for further monitoring, and 5 recommendation(s) |
| 2024 | Uncovered 0 secondary deficiency(ies), 92 item(s) for further monitoring, and 12 recommendation(s) | Uncovered 5 secondary deficiency(ies), 55 item(s) for further monitoring, and 0 recommendation(s) |
- Note: All items have been remediated.