Information Security Management
SDG
Performance highlights in 2024
- Maintain ISO27001 (Information Security System Management) certification
- Zero information security incident and zero data breach incident
Significance to CSCC
We protect customers' confidential information, implement employee security management, and safeguard employees' confidential information to look after the interests of customers, our company, employees, and all shareholders, and maintain our competitiveness
Goals
| Short-term goals (2025) |
Medium-term goals (2026~2029) |
Long-term goals (2030 and beyond) |
|---|---|---|
|
|
|
Management strategies
Carry out various security management measures, such as machine room equipment, network security, virus protection, and e-mail management; system access and maintenance; employee training; information security audit; as well as inventory and inspection of Chinese information and communication equipment, in order to reinforce CSCC's information security capabilities
Resources invested and implementation outcomes
Kindly refer to Annual ESG Plan and Implementation Outcomes in this Report for more details.
The Company has established a “Information Security Committee” to clearly define authority and responsibility for information security management, coordinate operations, and promote cybersecurity initiatives to ensure effective implementation and achievement of security policies and objectives.
Information Security Organizational Structure
The Company's specific management plan and measures
for information security in 2024
| PROJECT | SPECIFIC MANAGEMENT MEASURES |
|---|---|
| Antivirus software | Install antivirus software programs and update virus patterns automatically to minimize the possibility of virus infection. |
| Social media engineering drills services | Conducted two rounds of social engineering awareness drills, involving 2,592 employees, to enhance cybersecurity awareness |
| Establishment of the SOC monitoring service for information security threat detection management | We commissioned CHT Security Co., Ltd. to provide pre-threat intelligence alerts, real-time threat alerts, and post-threat analysis and recommendations. This collaboration aims to effectively manage various cybersecurity alerts, enabling our security personnel to focus on addressing critical cybersecurity risks and jointly preventing security threats. |
| Perform vulnerability scanning or penetration testing on external websites. | Adopting a hacker's mindset, attempts are made to infiltrate the Company's website, information systems, and IT hardware and software to identify potential vulnerabilities. This process verifies whether the Company's data and equipment can be stolen or damaged, assesses the security of the information systems and hardware, and determines if enhancements are needed. Early remediation is undertaken to address any identified issues. |
| Achieving ISO 27001 Information Security Certification | Underwent on-site audit and passed reassessment by BSI in 2024; certification remains valid through 2025 |
| Introduction of WAF Internet application firewall | With regard to the protection of Internet applications, by monitoring and filtering the HTTP/HTTPS requests transmitted by the website, WAF can compare viruses and protects CSCC's website from malicious attacks and malware, and reject suspicious and malicious traffic from entering the website, allowing only safe and normal traffic so as to avoid malicious attacks and data leakage, thereby ensuring CSCC’s Internet security. |
| Firewall protection | Implemented firewall access control rules; separate applications are required for special connection requirements. |
| User access control mechanism | Users are required to apply for approval before they can access the Internet, while the system automatically filters and blocks websites that may contain Trojan Horse viruses, ransomware or malware. |
| Operating system security update | Performed operating system security updates via WSUS server auto-patching |
| Data backup mechanism | Database data and applications are backed up regularly. Set up a backup mechanism for public hard drives and copy important data to backup public hard drives on a weekly basis to avoid data loss in case of hard drive failures or virus infection. |
| Disaster recovery | Conduct information system disaster recovery drills on a quarterly basis, in which data from backup files are transferred to the test database to check whether the data in a particular system is normal. |
| E-mail security control |
Implement e-mail scanning and protection to prevent unsafe attachments, phishing e-mails, and spam e-mails in advance before users receive e-mails. When a personal computer receives an e-mail, the antivirus software will also scan the e-mail for any unsafe attachments. |
| Permission management | Management and review of personnel account permissions, and periodic inventory of personnel account permissions. |
| Access control |
Implement mandatory password change every three months and require passwords to be at least six characters long. Control access to network hard drives based on permission for each unit. Enable permission to use the flash drive according to the users' application for the flash drive, upon the supervisor's approval. |
| System maintenance management | Sign maintenance contracts for important system resources with vendors to maintain normal system operations. |
| Employee training |
Conduct information security training for employees twice a year, with 605 total participants Raise awareness of information security incidents on CSCC's EIP website from time to time. Send employees to attend local seminars from time to time. |
| Information security audit | Undergo internal audits, internal control document audits, external audits (conducted by CPAs), and CSCC's information security audits on a regular basis each year. |
The Company 2025 Information Security Enhancement Plan
| Project | Description |
|---|---|
| Penetration Testing and Vulnerability Scanning | Adopting a hacker's mindset, attempts are made to infiltrate the Company's website and information systems to identify potential vulnerabilities. This process assesses the security of the information systems and hardware, and determines if enhancements are needed. Early remediation is undertaken to address any identified issues. |
| Source Code Scanning | Source code scanning, also known as static code analysis, involves reviewing and testing application source code to identify and remediate potential vulnerabilities and weaknesses before deployment. It is distinct from scanning compiled programs. |
| Mail Server Redundancy Mechanism | In the event of a primary server failure, the backup mail server can seamlessly take over operations to ensure continuous email functionality. |
| Establishment of a Log Management Server | Due to ISO27001 requirements, important servers and information communication equipment need to set up log management servers to receive records and be audited by authorized and responsible personnel periodically to facilitate early detection of abnormalities or tracking of evidence afterwards. The contract for the N-reporter software has been signed, covering the first year of implementation and four years of maintenance, totaling five years. |
| Professional Training for Dedicated Information Security Personnel | In compliance with the Cyber Security Management Act, each dedicated information security personnel must complete 12 hours of training per year. |
| Social media engineering drills services | Conducted social engineering drills to strengthen employee awareness and reduce risks of social engineering attacks. |
| Enhanced Network Redundancy at the Pingnan Plant | Signing a dedicated enterprise line agreement with Taiwan Mobile to mitigate single-point failure risks associated with Chunghwa Telecom’s network. |