Privacy protection and information security

SDGs:

  • GOOD HEALTH AND WELL-BEING

    3

  • DECENT WORK AND ECONOMIC GROWTH

    8

  • PARTNERSHIPS FOR THE GOALS

    17

One of the key characteristics of the department store industry is the large and diverse customer base. As of December 2023, SKM has amassed 3.55 million members. The vast amount of data from customer purchase and vendor transactions require stringent protection. In response to our growing number of department stores and expanding scale, SKM established a dedicated information security unit in 2023, meticulously adhering to domestic laws and policies regarding data collection, access, and usage. Following guidelines set forth by competent authorities, we formulated the SKM Personal Information Protection & Management Guidelines, which were approved and implemented by the board of directors.

 

Information Security Project Organization

 

SKM has around 3.55 million members. Our large amount of consumer data and company transaction data must be strictly protected. Since we value information security, we have set up the "chief security officer" position and relevant special units as early as 2018 based on FSC's "Regulations Governing Establishment of Internal Control Systems by Public Companies" amended at the end of 2021, taking the lead in the department store industry. To effectively and comprehensively handle the security situation of SKM, we hold at least one information security review meeting every year and monthly security control meetings to present information security reports and review the strategies and performance of information security management. The chief security officer is the convener of the security control meeting , and the members are the directors of each unit. In addition, we have set up different teams with different duties to promote the information security system.

 

SKM Information Security Governance Framework

 


 

The Department of Security and Surveillance completed the Cybersecurity Advancement Framework on August 5, 2019. Since then, the department has reviewed and amended the framework annually to ensure a robust information security protection mechanism at SKM. In addition, SKM amended security management procedures for outsourced services in 2021, requiring all information-related vendors to add the revised Confidentiality Agreement and Information Security Agreement to existing contracts as part of efforts to regulate the responsibilities and obligations of SKM and suppliers in information security. To strengthen system resilience and SKM's information security protection network we continued to implement management measures such as updating practices to comply with revised ISO 27001 Information Security Management Systems, providing 2,035 hours of education and training on information security, organizing four phishing email (social engineering) drills, and conducting internal and external audits to reduce risks of data breaches.

Eight Guidelines for Information Security Progress

 
01
Adopt international information security standards
02
Maintain external consultants
03
Promote SKM’s information security policies
04
Established internal organizations for information security & risk management
05
Formulated emergency response guidelines for information security incidents
06
Improve external information security tests and offense / defense exercises
07
Maintain employees’ information security defense capabilities
08
Assess information security insurance
 

Outcomes from Annual Audit & Security Protection

To achieve sustainable operations, SKM established an information security organization, compiled information security policies, and developed an information security system. Every year, SKM compiles an annual audit plan, creates an Information Security Audit Checklist, and works with an external third-party organization to conduct comprehensive assessment. We strive to ensure that we are effectively enforcing existing information security and customer privacy management systems or responding immediately to potential risks and leaks with corrective measures in compliance with internal information security management standards and regulatory requirements. The goal is to safeguard data, information systems, equipment, and networks to ensure normal operations and prevent any internal or external incidents or threats. This commitment aims to safeguard and protect consumers, employees, and partner vendors.

2023 Audits

Internal Audits
  • June 2023: Commissioned KPMG Advisory Services to conduct the annual internal ISO 27001 and ISO 27701 audit
External Audits
  • July 2023: SGS Taiwan conducted the annual ISO 27001 and ISO 27701 verification

2021-2023 Audit Results

Year Internal Audits External Audits
2021 Uncovered 0 secondary deficiency(ies), 23 item(s) for further monitoring, and 8 recommendation(s) Uncovered 1 secondary deficiency(ies), 8 item(s) for further monitoring, and 0 recommendation(s)
2022 Uncovered 0 secondary deficiency(ies), 14 item(s) for further monitoring, and 7 recommendation(s) Uncovered 1 secondary deficiency(ies), 11 item(s) for further monitoring, and 0 recommendation(s)
2023 Uncovered 0 secondary deficiency(ies), 24 item(s) for further monitoring, and 19 recommendation(s) Uncovered 1 secondary deficiency(ies), 18 item(s) for further monitoring, and 5 recommendation(s)
  • Note: All items have been remediated, with one being included as internal issues and slated to be fully remediated by September 2024.