元大金控元大金控 元大金控元大金控 元大金控元大金控

資訊安全 信息安全 Information Security
Information security organization

The Company implemented the ISO 27001 ISMS standard and also passed the certification by BSI in 2011. Thereafter, the Company is required to complete the annual review and the recertification every three years, and keep strengthening the information security management and control via the PDCA cycle. The permanent “Information Security Team” is delegated under the information security management framework, dedicated to coordinate and review the information security policies, plans, resource allocation, risk assessment, crisis management and other matters.

The Information Security Team is responsible for fulfilling the information security management system and supervising the operations thereof, holding the information security meetings and management review meetings periodically, researching on the status of implementation of information security management and information security-related matters, and also regularly reports the execution overviews of information security to the Board of Directors.



Information security management framework

The Company’s information security policy is based on the protection of shareholders’ interests, and aims to “protect the information asset security” and “keep business operating to achieve the corporate sustainability”. The information security management framework is implemented through the four level management document such as information security policy and directions for information security management.

In consideration of the increasing information security threats, the information security management shall fulfill the information governance and compliance, while the risk control shall focus on the information security protection, including internal self-check, external proactive detection, disaster response drill and enhancement of the management. The Company has actively implemented various systems, such as automatic detection, behavior check and prevention of illegal activities including real-time monitoring and blocking of external threats, access control of internal data,operations and segmentation of equipment, in order to prevent any illegal or malicious actives by the strict separation and filtration mechanism. Meanwhile, in order to keep upgrading the entire information security framework and strength the enterprise’s protection, the Company is evaluating the information security insurance.

Information Security Protection

Internal Self Inspect(Check)
  • Website Penetration testing
  • Server Vulnerability Assessment
  • Anti-Virus / Anti-Malware scan
  • System Log Review
External Active Detection
  • Two-tier firewall protection
  • Intrusion Prevention System
  • DDoS Protection
  • DNS Outsourcing
  • APT Detection on external e-Mail
Disaster Recovery
  • Disaster Recovery Planning
  • Information System / Infrastructure recovery drill
  • DDoS protection drill
Manage reinforcement
    Analysis, Development, Implement, Continuity
  • Business Impact Analysis
  • Risk management
  • ISMS information security internal audit

The Company and its subsidiaries all participate in the Financial Information Sharing and Analysis Center (F-ISAC), and integrate the information about threats via the information security defensive system to achieve the consolidated effect of the joint defense. Yuanta Securities, Yuanta Bank and Yuanta Life have already implemented and been certified by ISO 27001 ISMS and BS 10012 PIMS to enhance its information security and personal information protection management mechanism. Yuanta Futures and Yuanta Securities Investment Trust are also planning to implement the ISO 27001 information security management system (ISMS). Each of the subsidiaries also assesses the potential risk with the aid form an independent third party unity, and periodically completes the vulnerability scanning, penetration test, and the information security inspection or assessment as required. Further, through periodic review and update of information security management regulations to satisfy the standards required by laws and the latest information security regulations, as well as the information security threat attack, drill and educational training, the Company enhances the competency and awareness toward the crisis of the Group’s employees to solidify the information management mechanism.

Yuanta Financial Holding Company (FHC) has established a personal data protection system and implements it in all of its businesses. In addition to internal rules and regulations such as the “Personal Data Protection Policy” and the “Personal Data Management Regulations” that are reviewed and amended from time to time, an inter-departmental, inter-office Personal Data Protection Team (hereinafter referred to as the “PDPT”) has been set up as a dedicated unit responsible for promoting, coordinating, and supervising all matters related to personal data protection at Yuanta FHC.

PDPT is composed of the President’s designated Vice President and above as the convener and vice convener, and representatives from each department as members of the team. The PDPT meetings are convened to discuss personal data protection matters depending on the execution of its business. PDPT conducts a personal data protection management review at least once a year, and the results of the review are reported to the Board of Directors together with the annual implementation of the legal compliance system.

Yuanta FHC conducts at least one risk assessment of the personal data risks faced by the Company’s business every year and establishes control measures based on the assessment results, which and related analyses are submitted to the PDPT meetings. In the event of a personal data security or leakage incident, in addition to the reporting of operational risk events by each department and office in accordance with the prescribed procedures, the Information and Technology (IT) Department shall follow the regulations related to information security risks when dealing with the risks of information aspect. The Risk Management Department shall provide prevention or improvement suggestions for the causes of personal data security incidents. In addition, personal data protection is also included in the Company’s internal audits and regular annual training courses to enhance employees’ awareness of personal data protection.

In order to provide a mechanism for customers to exercise their statutory rights with respect to their personal data and to comply with privacy protection, Yuanta FHC discloses on its website the “Customer Data Confidentiality Measures” in accordance with the Financial Holding Company Act, the Regulations for the Management of Shared Marketing Across Subsidiaries of Financial Holding Companies, and other relevant laws and regulations, to clearly state that Yuanta FHC will not disclose customers’ personal data to third parties except under the circumstances specified in these measures or with customers’ written consent. In addition, a Privacy Statement is posted on the official website to explain Yuanta FHC’s collection policies, storage and protection measures for personal data, and the rights of customers to inquire, correct, and delete such data. An email address is also provided as a channel for comments, so that customers are aware of their rights and interests and can use the various services provided by the Yuanta FHC website with peace of mind.