To enhance the information security management and to reduce security risks, Snowbridge has established and implemented an information security management system since May 2021 and in October of the same year obtained the ISO 27001:2013 information security management system certification, covering all of its operations.
- Cyber Security Management Act
- ISO/IEC 27001: 2013, CNS 27001
To strengthen information security management and to demonstrate the importance placed on information security management by the highest management levels, this policy shall be relevant to Snowbridge’s future business directions and integrated into the daily operations of each Snowbridge department. Also, Snowbridge will provide appropriate resources to meet the requirements and performance targets of the ISMS and to clarify appropriate corporate information security responsibilities, thereby ensuring the effectiveness of information security management and continuous improvements in areas not meeting the standards.
Areas of Applicability
- This policy applies to Snowbridge’s appointees, employees, hired, contracted, temporary, and dispatched personnel, agencies that have access to Snowbridge’s information security operations, as well as vendors and third-party personnel that provide services to Snowbridge.
- The implementation scope of the Information Security Management System (ISMS) covers all information security matters arising from Snowbridge’s various business processes.
- This policy shall be approved by the Chief Executive Officer.
- Management shall actively participate in information security-related activities and provide support for information security operations.
- Management shall be responsible for supervising the implementation of this policy as well as related regulations and performance, while also publishing and communicating them to all employees and relevant external parties.
- In addition to the employees, for all external personnel, outsourced service providers, and visitors, any users who have access to business data shall also comply with this policy and its related regulations.
- Employees and outsourced service providers are responsible for reporting information security incidents or vulnerabilities and helping to address them through appropriate notification mechanisms.
- Employees shall comply with laws and regulations, as well as Snowbridge’s information security guidelines, and are obligated to participate in various information security education training organized by Snowbridge.
- Employees shall be knowledgeable of Snowbridge’s information security policy, their expected contribution to the information security management system, and possible consequences resulting from the failure to comply with information security management system requirements.
- Any action that endangers information security will be handled following Snowbridge’s relevant regulations depending on the severity of the situation.
- Continuous improvement shall be achieved through the implementation of improvement measures for the information security management system.
Objectives of Information Security
To align the information security objectives with the information security policy, the following measurable risk assessment items have been established as criteria:
- Confidentiality: To ensure that the information to be protected and guarded against unauthorized access or unintentional leakage.
- Integrity: To ensure that information content and processing methods are correct and consistent.
- Availability: To ensure that authorized users can access information and make use of the equipment when they need to.
- Regulatory Compliance: To ensure that the content of the information to be protected complies with legal and regulatory requirements.
Review to Information Security Policy
- This policy is reviewed annually and may be adjusted as necessary to meet the latest developments in laws, technology, and business to ensure the effectiveness of the information security practices.
- This policy has been approved by the Executive Director and shall be effective on the day of its announcement. Applicable personnel shall be notified of the policy in writing, electronically, or by other means. The policy shall be made available to relevant stakeholders when applicable, as well as when amended.