Information Security
Information Security Policy & Purpose
In the face of business competition and globalization, information security and the protection of operational data are important cornerstones for sustainable development and maintaining core competitiveness. To ensure the stability, security, and availability of information systems, TCC is committed to strengthening information security management mechanisms and defense capabilities, establishing a secure and reliable computerized operating environment, ensuring the security of systems, data, equipment, and networks to protect the Company's important information assets and ensure the normal operation of information systems.
The Scope and Target of Information Security
Applicable to all domestic and overseas subsidiaries and other entities under TCC’s effective control, and applying to every site employee and any outsourced, contracted, or dispatched vendor with access to internal information.
Information Security Management Framework
Applicable to all domestic and overseas subsidiaries and other entities under TCC’s effective control, and applying to every site employee and any outsourced, contracted, or dispatched vendor with access to internal information.
Establish an information security management system and cross-departmental information security committeeIn 2020, TCC established and implemented an information security management system based on the ISO/IEC 27001:2013 international standard, adopting the PDCA cycle operation model. The President convened and formed a cross-departmental Information Security Management Committee, which meets annually to review the effectiveness of information security planning and implementation, make key decisions, and coordinate the necessary resource allocation. In 2024, it was elevated to a functional committee, and report to the BOD. The committee comprises three independent directors, including Ruu-Tian Chang, who brings expertise in cybersecurity and AI. | |
Information Security Management TeamUnder the Information Security Management Committee, an Information Security Management Team is established, which is mainly responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving the information security management system, and reporting related issues to the Information Security Management Committee. | |
Regular reviews and reportingThe Information Security Management Team regularly meets to review implementation and annually reports the results and reviews to the Board of Directors. | |
Strengthen information security systemOn April 11, 2022, the Board of Directors resolved and announced the establishment of the Chief Information Security Officer position and the Information Security Department. The Department consists of five members, 100% of whom hold four internationally recognized information security certifications. Their primary responsibilities include the overall information security structure, managing operations and monitoring, and handling internal and external information security incident response and investigation for the TCC Group. They regularly report work progress to the Chief Information Security Officer, who in turn reports to the Chairman and President of TCC Group. In response to the development of AI, TCC has referred to the Bletchley Declaration and the Frontier AI Safety Commitments, and has been closely following the outcomes of the AI Action Summit to continuously improve and refine its AI policy. |
Performance
- Taiwan and Mainland China cement operations, subsidiaries OYAK CEMENT, and Molicel have obtained ISO 27001 certification.
- Zero critical information security incidents occurred in 2024.
- TCC requires 100% of new recruits worldwide to sign an information-security declaration. It also occasionally holds expert courses and distributes security policies and protective measures to enhance cybersecurity awareness among all employees. CIMPOR augments these efforts with CyberReady automated training and six SOC-led sessions each year for high-risk staff. Employee information security education and training reached 3,259 hours and 3,555 participants in 2024.
- In 2024, a total of 11 information security health checks and 16 social engineering drills were completed, recording an overall violation rate of 2 percent. TCC maintains a management target of keeping violations below 3 percent.
Information Security Objectives and Management Program
Information Security Objectives
- Maintain the stability of TCC Group Holdings' business operations, avoiding operational losses caused by system interruptions or other information security incidents.
- Implement appropriate protective measures for sensitive data such as TCC Group Holdings' trade secrets to minimize the impact and risk of information security incidents including damage, theft, leakage, tampering, misuse, and infringement.
- Continuously enhance the confidentiality, integrity, and availability of various information assets within the TCC Group Holdings.
Management Program
- TCC has established Information Business Continuity Plans at all sites to keep critical systems running and restore operations quickly after a disaster or unexpected event. To validate each plan, sites in Taiwan and Mainland China test it at least every six months, while OYAK CEMENT and CIMPOR test at least once a year, continually sharpening response capabilities and execution.
- In 2024, TCC has five dedicated information security personnel and 30 information security support team members. Regular information security education, training, and social engineering drills are conducted to raise awareness among all TCC Group members, ensuring that all employees develop a strong sense of security responsibility.
- In 2024, a total of 44 weekly security meetings, 8 monthly security meetings, and 4 quarterly security meetings have been held, actively discussing security tool applications, the current status of security projects, and security personnel allocation.
Information Security Control Measures
TCC Group Holdings has established the TCC Group Information Security Policy, which is available in the
「Investors - Company Regulations」section.
