Jump to main content
Chang Hwa Bank logo
For the best experience, change the screen to portrait mode.

For the best experience, change the screen to portrait mode.


Information Security Mechanism

Policy and Commitment

  • In order to strengthen information security management, the Bank has established the “Information Security Policy” to ensure the legitimate authorized access, confidentiality, integrity and availability of the Bank’s information, to maintain the reliability of information equipment and network systems and the normal operation of business processes in the event of internal and external threats; to make prompt and necessary contingency measures in the event of accidents to minimize possible damage, and to continuously enhance colleagues’ awareness of information security through education and training and social drills.
  • This policy is reviewed regularly every year and amended by the Board of Directors to provide the most timely, good, stable and safe system services to ensure the quality of goods and services provided and the rights and interests of customers.

Information Security Management Framework

  1. Information Security Management Framework
  1. In order to effectively implement internal control of information security, the Bank has adopted a management framework with three lines of defense:
    1. The first line of defense:The implementation of information security operations by all units and IT Division across the Bank. 
    2. The second line of defense:The Information Security Division is responsible for the monitoring and managing the implementation status of the information security policy and its derived information security risks and reporting to the Risk Management Committee on the status of information security management by monthly. 
    3. The third line of defense:Inspections by the Internal Auditing Division.
  2. Set up a Director of Information Security at the executive vice president level to coordinate information security policy promotion and resource allocation. The Director of the Information Security Division serves as the dedicated supervisor of information security. He must have a background in information security. His functional responsibilities are to be responsible for supervising and implementing information security policies and coordination and promoting information security management operations. He reports to the Board of Directors on the overall implementation and management of information security every year.
  3. The Bank hired an information security consultant to provide professional views and advice on information security management to strengthen the information security governance capacity of the Board of Directors.

Security Reporting Mechanism

For the notification and handling of information security incidents, according to the situation and severity of the incident, follow the "(CHB) Information Security Event Reporting Procedure" and “Chang Hwa Bank Major Contingency Incident Handling Procedures” to notify the affiliated units, through the “Information Security Event Reporting Management System”, letters or phone calls for internal communication and reporting. The IT and Information Security Divisions need to eliminate and resolve information security incidents within the target processing time, follow up on the incidents, review improvement plans, and put forth preventive measures to prevent such incidents from recurring.

Security Measures and Management Mechanisms

The Bank uses the PDCA management cycle to conduct information security risk management and addresses and prevents risks posed by new technologies, new products and business process changes.

  1. Management System and System Evaluation
    1. The Bank confirms that the relevant systems comply with international standards through external review every year, and evaluates the operational effectiveness of the management systems. In 2022, it will continue to ensure the effectiveness of “Business Continuity Management System ISO 22301”, “Information Security Management System ISO 27001” and “Personal Information Management System BS 10012”, and complete the upgrade of the business continuity management system in 2022.
    2. Every year, the Bank entrusts an independent third party to conduct an information security assessment operation and an overall information security compliance assessment to improve the Bank’s information security.
    3. The Bank’s conducts penetration testing on its mobile application (App) and the self-inspection of information security by the Industrial Bureau of the Ministry of Economic Affairs every year, and all of them have obtained the certificate of compliance and the certification mark (MAS) of the Industrial Bureau.
  2. Multi-Level Security and Surveillance Mechanisms
    1. The Bank uses multi-level information security equipment to work together to establish protection and monitoring mechanisms for networks, endpoints and databases and servers, strengthen information security protection operations, and introduce two-factor authentication mechanisms into important systems to strengthen access security.
    2. We use automated methods for 24/7 monitoring, detection, and tracking of fake websites and mobile applications that impersonate our bank and take necessary actions against such fraudulent activities.
    3. Regularly perform source code detection, vulnerability scanning, penetration testing and malicious program detection on the information system to confirm whether there are weaknesses in the information system of the Bank, find out and repair them early, so as to maintain a good quality of information system services.
  3. Integration and Application of Information Security Information
    1. Through Financial Information Sharing and Analysis Center (F-ISAC), report information security incidents and information sharing, and send information security information back through Financial Security Operation Center (F-SOC) for event information data comparison and analysis of suspicious attack sources to grasp the overall information security status and threats in the financial sector, and improve the synergy of information security and joint defense.
    2. Regularly inspect the status of information equipment and conduct operational impact analysis to strengthen the response to disasters.
  4. Information Security Education, Training and Drills
    The Bank holds information security promotion training courses for all employees every year to strengthen employees’ awareness toward information security. And every quarter, through information security information bulletins, social engineering exercises, emergency response exercises and system support exercises, etc., improve the alertness and resilience of colleagues.
    1. Information Security Education and Training in 2022
      Information Security Education and Training in 2022
    2. In 2022, at least 24 pieces of information security information will be announced on the bulletin board of the internal website to strengthen the awareness of information security among colleagues at home and abroad.
    3. We conducted social engineering drills every quarter. In 2022, a total of 16 (times), and a total of 119,824 test e-mails were sent. The content of e-mails includes in both Chinese and English to increase the vigilance of employees and reduce the chance of being attacked by social engineering.
    4.  In 2022, 7 emergency response procedure drills was completed to familiarize colleagues with the response procedures for different incident scenarios.
    5. In 2022, 100 information system drills was completed to familiarize colleagues with the system operation process.
    6.  In order to improve the grasp of the information security situation and the latest information security risks by the Board of Directors and senior executives of the Bank, the Bank invited external professional lecturers to hold a special course on “Strengthening the Resilience of Enterprise Information - Response of Risk and Crisis”, which was attended by a total of 15 people (including 8 directors), and one director was trained in a digital course. All directors have completed the training on information security education, deepened their expertise in information security protection, and continued to maintain the Bank’s safe, convenient and uninterrupted operation goals.
    7. The bank’s information security personnel receive professional information security courses every year, and encourage and subsidize colleagues to obtain international information security certificates.
      ► In 2022, we assisted all 20 students of the Bank in obtaining the ISO 22301: 2019 Lead Auditor Certificate in Business Continuity Management Systems.

Implementation Status

  • In 2022, the Bank had no major security incidents related to information equipment and network systems, and the number of customers affected by security incidents was 0.
  • The F-ISAC members of the Financial Supervisory Commission shared their point settlement results, showing that we won first place, and was rated as excellent.

Information Security Policy