Information Security Management
Management measures relating to information security implemented in 2019 were as follows:
Information security management system:
In order to enhance management of information security, the Corporation established an “Information Security Management Committee” on October 25, 2017 and designated cross-departmental information security representatives to convene information security management audit meetings and information security representative meetings regularly. The Information Technology Division is then responsible for providing annual reports on implementation performance to the Board of Directors. Implementation results for 2019 are as follows:
1. The Corporation's president acts as the convener, and the operation senior vice president acts as CISO(Chief Information Security Officer) and the chairman of the information security management audit meeting. Regular meetings are held every 6 months to assess information security developments and strategies, ensuring that information security management systems can continue to operate in a stable manner.
2. Each office and department unit assigned an information security representative, and the head of the System Maintenance Department in the Information Technology Division acts as the information security management representative. These representatives convened an “Information Security Representative Meeting” every quarter to report information security plans under development and implementation results, and to promote relevant information security policies and implementation
3. The security management report and implementation results were submitted to the 3rd board meeting of the 9th Board of Directors on June 17, 2020.
Information Security Management Structure
Information security policies:
The Corporation periodically assesses its information security policies every year. Following approval from the chairman on May 27, 2020.
Specific management plans:
1. The Corporation has established its “Regulations for Governing Information Security” to ensure that our hardware, software, data, and personnel adhere to the principles of C (Confidentiality), I (Integrity), A (Accessibility), and C (legal Compliance). Our information security system is built on the three aspects of Maintain operations, Information security challenges, and Legal compliance, and we are gradually improving relevant management measures.
2. In 2019, the Corporation took out electronics equipment insurance policies for operational assets relating to maintenance of information systems and network equipment; security monitoring measures were also put in place to prevent incidents of theft and malicious destruction.
3. In light of the fact that cyber-insurance is a new type of insurance policies, and in consideration of all issues relating to insurance scope, claim scope for damages, identification of damages, and qualification of identification institutes, the Corporation plans to initiate benefit evaluation on cyber-insurance in 2020. However, the following strategies have been adopted in response to current challenges such as APT (Advanced Persistent Threat) attacks, DDoS (Distributed Denial of Service) attacks, ransomware, social engineering attacks, and information theft:
- Continued annual review of trends in information environments and technical information in accordance with our corporate information security policies, and establishment of protective measures and solutions.
- Implementation of annual security checks, information and communication security health checks, and social engineering and information breach scenario exercise to strengthen employee awareness of information security crises and response capabilities, in hopes of efficiently preventing and detecting threats and halting proliferation at the first instance.
- To strengthen employee awareness of information security crises and response capabilities, information security training to all employees are conducted quarterly as well as monthly social engineering and information breach scenario exercise are conducted since 2019 July.
- Establish cyber security incident notification and response protocols for incident notification to all related agencies, creating incident response team, assessing incident impact scope, conducting damage control, and post-incident investigation. The implementation of protocol minimizes impact on THSRC service coverage & service time, and prioritizes preserving passenger rights.
4. The Corporation has passed annual check for ISO27001 information security management systems in October 2020 Current ISO27001 certificate is valid through Dec. 27, 2020. Renewed ISO27001 certificate will be valid from Dec. 28, 2020 to Dec. 27, 2023.