The Company implemented the ISO 27001 ISMS standard and also passed the certification by BSI in 2011. Thereafter, the Company is required to complete the annual review and the recertification every three years, and keep strengthening the information security management and control via the PDCA cycle. The permanent “Information Security Team” is delegated under the information security management framework, dedicated to coordinate and review the information security policies, plans, resource allocation, risk assessment, crisis management and other matters.
The Information Security Team is responsible for fulfilling the information security management system and supervising the operations thereof, holding the information security meetings and management review meetings periodically, researching on the status of implementation of information security management and information security-related matters, and also regularly reports the execution overviews of information security to the Board of Directors.
The Company’s information security policy is based on the protection of shareholders’ interests, and aims to “protect the information asset security” and “keep business operating to achieve the corporate sustainability”. The information security management framework is implemented through the four level management document such as information security policy and directions for information security management.
In consideration of the increasing information security threats, the information security management shall fulfill the information governance and compliance, while the risk control shall focus on the information security protection, including internal self-check, external proactive detection, disaster response drill and enhancement of the management. The Company has actively implemented various systems, such as automatic detection, behavior check and prevention of illegal activities including real-time monitoring and blocking of external threats, access control of internal data,operations and segmentation of equipment, in order to prevent any illegal or malicious actives by the strict separation and filtration mechanism. Meanwhile, in order to keep upgrading the entire information security framework and strength the enterprise’s protection, the Company is evaluating the information security insurance.
- Website Penetration testing
- Server Vulnerability Assessment
- Anti-Virus / Anti-Malware scan
- System Log Review
- Two-tier firewall protection
- Intrusion Prevention System
- DDoS Protection
- DNS Outsourcing
- APT Detection on external e-Mail
- Disaster Recovery Planning
- Information System / Infrastructure recovery drill
- DDoS protection drill
Analysis, Development, Implement, Continuity
- Business Impact Analysis
- Risk management
- ISMS information security internal audit
The Company and its subsidiaries all participate in the Financial Information Sharing and Analysis Center (F-ISAC), and integrate the information about threats via the information security defensive system to achieve the consolidated effect of the joint defense. Yuanta Securities, Yuanta Bank and Yuanta Life have already implemented and been certified by ISO 27001 ISMS and BS 10012 PIMS to enhance its information security and personal information protection management mechanism. Yuanta Futures and Yuanta Securities Investment Trust are also planning to implement the ISO 27001 information security management system (ISMS). Each of the subsidiaries also assesses the potential risk with the aid form an independent third party unity, and periodically completes the vulnerability scanning, penetration test, and the information security inspection or assessment as required. Further, through periodic review and update of information security management regulations to satisfy the standards required by laws and the latest information security regulations, as well as the information security threat attack, drill and educational training, the Company enhances the competency and awareness toward the crisis of the Group’s employees to solidify the information management mechanism.