Information Security Governance

PT WIKA Beton implements information security governance, which is broadcast live by the Board of Commissioners through the Steering Committee. Steering Committee meetings are held quarterly to discuss various aspects of information security, including risk evaluation and incident management. A summary of the Steering Committee's activities and decisions is published internally to demonstrate transparency to stakeholders.

Executive responsibility for information security rests with the Director in charge of Information Technology (IT). The Director responsible for IT develops information security policies, conducts ongoing risk monitoring, and submits periodic reports to the Board of Directors and the Board of Commissioners through the Steering Committee.

Information Security Policy & Compliance Framework

PT WIKA Beton conducts routine monitoring of its systems and networks to detect potential information security threats early. When an incident occurs, the company implements incident response procedures that include identification, reporting, mitigation, and system recovery to ensure the safe return of services.

Each incident handled serves as the basis for ongoing mitigation and evaluation. These efforts ensure that cyber threat protection is always updated and adapted to technological developments and the latest attack patterns.

Managing Third-Party Relationships

PT WIKA Beton (Persero) understands that information is a strategic asset that must be protected from various threats, both internal and external to the company. Therefore, WIKA Beton implements an Information Security Management System (ISMS) based on the international standard ISO/IEC 27001. Through the ISMS, WIKA Beton establishes a General Information Technology Governance Policy along with all derivative policies, procedures, and integrated controls to ensure the confidentiality, integrity, and availability of information. In its implementation, managing relationships with third parties, such as suppliers and vendors, is also a crucial aspect. All services provided by third parties remain under the supervision and control of the ISMS to ensure information security.

The following provisions must be complied with by third parties (external), particularly suppliers:

1. Suppliers are required to sign a statement of commitment to comply with all information security requirements applicable to WIKA Beton. This provision refers to the ISO/IEC 27001:2022 standard regarding supplier relationship management, service agreements, IT supply chain management, and supplier service monitoring and review activities.

2. Every work contract must include a confidentiality clause, and all supplier personnel involved are required to sign a confidentiality agreement/non-disclosure agreement (NDA).

3. The work agreement must also outline the scope of services, requirements, division of authority and responsibility, and obligations related to achieving service performance targets.

4. WIKA Beton will conduct regular monitoring and evaluation of supplier performance and the level of compliance with service standards. Monitoring can be conducted through coordination meetings or work performance audits.

5. Suppliers are required to comply with information security requirements, and such compliance will be monitored and reviewed periodically. Supplier audits will be conducted by a goods/services testing committee.

6. Supplier personnel are granted access to WIKA Beton's information, information systems, and networks only as needed and must obtain approval from at least a Division-level official in the Information Systems Unit.

7. WIKA Beton's commitment to information security is strengthened by the Information Systems Unit's acquisition of ISO/IEC 27001:2022 certification. This certification is proof of the company's seriousness in implementing international standards and carrying out security controls consistently, effectively, and sustainably.

Information Security Management Programs

The Company regularly conducts vulnerability assessments on critical systems, networks, and applications to ensure there are no security gaps that could be exploited by unauthorized parties. This assessment process uses industry-standard tools and methods to accurately identify security weaknesses.

Each vulnerability found is analyzed and prioritized based on its risk level (severity) so that remediation can be implemented appropriately and effectively. After remedial actions are implemented, the Company re-verifies to ensure that all identified vulnerabilities have been properly addressed and no longer pose a risk to operations and information security.

In addition, the Company provides formal reporting channels, such as a dedicated information security email address, an IT helpdesk, and an internal portal, to facilitate employee reporting of incidents or suspicious activity. To ensure prompt and appropriate handling, the Company has established a tiered escalation procedure, starting with users, the Service Desk/IT, Field Managers, and Division Managers.

All employees are required to immediately report any incidents, potential vulnerabilities, or suspicious activity. Furthermore, the Company regularly conducts outreach regarding incident reporting procedures and the importance of employees' roles in maintaining information security.