Information Security Governance
The Board has passed an Information Security Policy and an Information Security Committee has been established, with the President as the convener and division-level supervisors under the President, Chief Risk Management Officer, and Chief Compliance Officer as committee members; the Chief Auditor is also invited to attend. The Chief Information Security Officer, who is directly under the President, is responsible for managing the Information Security Department, which is an independent department responsible for information security governance, information security system maintenance, and information security incident response. The key risk indicators of high-risk information security incidents are also reported to the Board of Directors on a monthly basis in the Risk Management Department’s Risk Integration Report, and overall performance is reported to the Board of Directors annually.
● Information Security Committee
Information Security Defense
By referencing the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), our defense-in-depth (DiD) technology mechanisms have been designed and planned from identification, detection, response, to recovery. In order to understand risks and responses in a more timely manner, technologies such as extended detection and response and third-party automated assessment have been introduced, and in accordance with international standards such as ISO 27001, ISO 27701, ISO 22301, and BS 10012, we have used proper information security and personal data protection mechanisms to detect and block threats from networks, application systems, hardware, operating systems, and data, while strengthening key risk defense engineering. In addition, we simulate real hacking techniques through automated attack and defense drills and team-based simulation drills to verify the effectiveness of information security protection.
● International Information Security Standards
| Company | Standard | Certification scope |
|---|---|---|
| Taiwan Life | ||
| ISO 27001:2013 Information Security Management System | All departments of the head office, including all system development, operation and maintenance, network management, computer room, information supporting activities, and other businesses. | |
| ISO 27701:2019 Privacy Information Management System | ||
| BS 10012:2017 Personal Information Management System | Entire organization, including all departments of the head office, all branches, regional centers, and correspondence offices |
Personal Data Protection
The Company has complied with the ISO 27001:2013 Information Security Management System, ISO 27701:2019 Privacy Information Management System, BS 10012:2017 Personal Data Management System, and ISO 22301:2019 Business Continuity Management System, and has adopted frameworks including strategy, governance, maintenance, and technology to construct an information security and personal data management methodology. By incorporating control measures into the five stages of information system, namely requirement discussion, system analysis and design, development and construction, system testing, and system launch, we have enhanced the quality of software security as well as ensured that rigorous protective measures are implemented throughout operating processes, ranging from personal data collection, storage, processing, transmission, to deletion. An Information Security Policy and Personal Data Management Policy have also been established to protect various operating information and protect the rights and interests of customers. In addition, Personal Information Security Guidelines, the Statement on Personal Data Protection, and the Commitment to Information Confidentiality are also in place to ensure that rigorous protection measures are implemented in the collection, processing, and use of customer information.
To strictly protect customer personal data, the information system platform displays only the minimum amount of data required for business, thereby reducing the risk of exposure. A separate Emergency Response Plan for Personal Data Breaches has also been formulated to ensure compliance in the event of a personal data infringement incident. We also continuously carry out information security and personal data protection education, training, and advocacy to improve personnel capabilities and strengthen the awareness for information security and personal data protection.
Business Continuity Management
When a disaster occurs, Taiwan Life strives to minimize damages to ensure personnel safety, customer rights and interests, and the preservation of the Company's goodwill and assets. In order to ensure that important services can continue to operate when an incident, facility failure, or damage occurs to business or information services, the Company regularly revises its business continuity management standards and implement them in practice in order to continuously improve and provide uninterrupted customer service.