Jump to main content
Left menu Right menu close
fastmenu
  • Navigator
  • Information Security
For the best experience, change the screen to portrait mode.

For the best experience, change the screen to portrait mode.

:::

Information Security Reminder

  1. Make sure your computer, smartphone or tablet is secure by updating operating systems, web browsers and other software. Also install antivirus software from a trusted company to ensure your device is protected from malicious activity.
  2. Never click on links or attachments, download files, or install software from unknown sources. Be aware of unsolicited emails that contain links to websites urging you to provide confidential or financial information. If you receive one of these emails, don’t reply or click on a link. Instead, contact the company using a phone number you know is genuine.
  3. For secure connections, the CHANG HWA BANK APPs are available on the App Store® and Google Play™. Do not download APPs from other sources.

Information Security and Business Continuity Statement

  2. CHANG HWA BANK understands that information security and business continuity are important to you. To assist us in offering banking services in a secure manner, we employ a number of measures, which are described below.
  1. The Bank ensures the confidentiality, integrity and availability of information, and prevents unauthorized access, alteration or destruction.
  2. The information security and business continuity management objectives align with the Bank’s goals.
  3. The Bank continuously invests necessary resources in information security protection systems, and consistently enhances and improves management mechanisms in response to evolving information risks to achieve its information security objectives.
  4. The Bank clearly define the responsibilities and obligations of employees in information security and business continuity management, and assign relevant management roles responsible for providing direction and oversight.
  5. The Bank promotes awareness of the importance of complying with the Information Security Policy and relevant regulations, achieving information security objectives, and pursuing continuous improvement. All personnel, including employees, contract staff, and related parties, are required to comply with the Information Security Policy.
  6. A set of policies and procedures is published and communicated to employees and related external parties.
  7. Regularly identify interested parties and their requirement to determine the scope of information security and business continuity management system. And maintain and continually improve the information security and business continuity management system.
  8. Workstations and laptops have anti-virus software, update virus pattern and check/scan files automatically. All devices are forbidden to install software without authorization.
  9. Regularly evaluate the risk assessment of information assets and adopt appropriate control and treatment to eliminate or reduce information security risks.
  10. To maintain continuous operation of information systems, the Bank establishes mechanisms for monitoring information security threats, incident response, and business disaster recovery. Regular exercises and tests are conducted to reduce business impact and ensure alignment with the Bank’s business continuity objectives. In the event of an information security incident, actions shall be taken in accordance with the "Chang Hwa Bank Information Security Event Reporting Procedure" and the "Chang Hwa Bank Material Incident Process Procedure". The Bank will proactively inform affected stakeholders about the incident handling and subsequent improvement measures based on the nature and impact of the incident.
  11. The Bank establishes information security requirements and management mechanisms for suppliers and third parties, clearly specifying that all partners must comply with the Bank’s Information Security Policy.
  12. When the Bank's important information services suffer from force majeure disasters or other man-made damages, the Bank will minimize the duration of incident, reduce the impact of disruption, and enable the information services to be restored to an acceptable service level in the shortest possible time.
  13. CHB provide sufficient resources needed for the establishment, implementation, maintenance and continual improvement of information security and business continuity management system.

Information Security Policy

  1. To strengthen information security management, and ensure the confidentiality, integrity and availability of information system, as well as the reliability of information equipment and network, the Bank implement and maintain “information security policy”.Download the full text of Information Security Policy.

Information Security Risk Model

  1. The Bank has established a dedicated information security unit and appointed a Chief Information Security Officer (CISO) at the Executive Vice President level, who is responsible for the information security policy promotion and resource allocation.
  2. To ensure the effectiveness of information security risk management framework, CHB adopts “Three lines of defense” to assure on the effective management of information security risks. The first line of defense includes all departments and the IT Division being responsible for executing information security operations. The second line of defense is the Information Security Division monitoring the executing status of the Information Security Policy and the deriving security risks. The third line of defense is the Internal Auditing Division, which checks the operations.
  3. Regularly review and amend the Information Security Policy, and take effect upon approval by the Board of Directors.
  4. Regularly report information security risk and management to Risk Management Committee, and report at least annually to the Board of Directors.

Information Security Management Methodology

  1. CHB adopts the PDCA cycle (Plan-Do-Check-Act) as the foundation, used to continually improve the suitability, adequacy and effectiveness of the information security management system. 
  2. Continue to improve the information security management system, regularly review and revise information security regulations; through information security risk assessment and information security testing, identify and improve information security weaknesses to strengthen the CHB's information security.
  3. Conduct risk assessment operations every year to review the information security implementation status of each risk project, and evaluate the Cybersecurity Maturity Level.
  4. The Bank has joined F-ISAC and TWCERT/CC to improve cybersecurity through cyber security information sharing.
  5. Conducting monthly self-inspections and semi-annual internal audits of the Information Security Management System, Business Continuity Management System, and Personal Information Protection Management System. Improvement measures are formulated based on audit findings, and follow-up actions are continuously tracked.
  6. In accordance with the “Chang Hwa Bank Disaster Recovery Plan”, the Bank conducts at least two annual test drills for the core information systems, at least one annual test drill for important supporting information systems, and annual backup drills for other open information systems. The scope and frequency of these drills are regularly evaluated based on factors such as information risk levels and significant changes in system architecture. 

Information Security Incident Response

  1. Chang Hwa Bank reports and handles information security incidents based on their types and severity in accordance with the “Chang Hwa Bank Information Security Event Reporting Procedure” and the “Chang Hwa Bank Material Incident Process Procedure”.
  1. Step 1: When an information security incident is identified, the relevant unit shall complete an emergency incident reporting form within two business days (excluding the day of discovery) and submit the report via the Information Security Incident Reporting Management System.
  2. Step 2: Upon receipt of the incident report, members of the Information Security Team will convene to assess and classify the severity of the incident. 
  3. Step 3: The responsible units shall take appropriate measures to handle the incident, confirm its resolution, and maintain all related records of the handling process. 
  4. Step 4: A review meeting shall be held to analyze the incident and implement measures to prevent recurrence.

Invest Resources in Information Security Management

  1. Implementation results of information security measures.
          I. Information security protection
  1. Prepare a cybersecurity budget every year, and allocate approximately 37% of the annual IT budget to cybersecurity in 2024. 
  2. Continue to introduce and expand information security defense equipment, such as firewall, anti-virus, IPS, information security log management system, database audit monitoring system, malware endpoint detection system, and replace the expired equipment.
  3. Continue to improve the information security and business continuity management system, and implement compliance operations as required by the competent authority, to ensure the effectiveness of information security management.
  4. Regularly perform information security assessment and various information security tests, such as penetration test, vulnerability scanning, malicious program detection and mobile application security testing, etc.
  5. The Bank conducts information security testing at frequencies aligned with the criticality of each information system. For example, external-facing websites, apps, and electronic payment platforms undergo vulnerability scans quarterly and penetration tests semiannually; network devices undergo annual vulnerability scans and penetration tests. Furthermore, each system has established timelines for vulnerability remediation based on its risk score and risk level.
  6. Regularly conduct information security training, social engineering drills for all personnel and carry out emergency response and system backup drills for IT and Information security staff, to improve the information security response capabilities of colleagues.
  7. Continue to conduct information security joint defense and make good use of information security intelligence, to strengthen the ability to prevent malicious attacks and detect threats.
  8. There are about 20 employees in our Information Security Division, and the Bank's employees have obtained 101 international information security certificates, such as CISM, CISSP, CISA, OSCP, CEH, CPENT, CCISO.
  9. Report to the Risk Management Committee on the information security risk and management every month.
  10. ISO 27001 and ISO 22301 Management Reviews are held twice a year.
          II. International Standard Certification
  1. The Bank has implemented the ISO 27001 Information Security Management System and maintains certification valid from November 8, 2023, to November 7, 2026.
  2. The Bank’s IT Division and Information Security Division have implemented the BS 10012 Personal Information Management System and maintain certification valid from March 31, 2025, to March 30, 2028.
  3. The Bank’s IT Division and Information Security Division have implemented the ISO 22301 Business Continuity Management System. Certain IT systems are certified, with the current certification valid from April 24, 2024, to April 23, 2027.
Chang Hwa Bank logo

© CHB All rights reserved.

Customer service center single representative number:+886-412-2222

Mobile please dial +886-2-412-2222/0800-365-889(Local call only)

Back to top