Information Security and Privacy
Information Security Risks and Vulnerability Analysis
To enhance the internal information security protection of SinoPac Holdings, the Group conducts evaluations on information security risks and their vulnerability based on different frequencies to learn about the potential information security threats in the system and internal controls. In addition, SinoPac Holdings also established detailed response procedures and management measures for information security incidents to effectively prevent the occurrence of information security or network security risks. The Company continues to strengthen the information security mechanisms and personal data protection and management in the aspects of APT defense system, defense against DDoS attacks, e-mail content filtering, malware detection, website and app vulnerability scanning, and security inspections. SinoPac Holdings also isolated and strengthened the security of high-risk systems (such as ATM and SWIFT systems). The system management, database management, network management, information security management, and related infrastructure maintenance activities of the information technology units of Bank SinoPac and SinoPac Securities have received ISO 27001 certification.
| Item | Frequency | Main contents |
|---|---|---|
| Review of information security inspection reports | Daily | Uncover potential information security incidents by reviewing the information security inspection reports to reduce threats and impact. |
| Convene monthly meetings of the Information Security Intelligence Center | Monthly | Review the monitoring and control measures of terminal hosts, accounts with special privileges, user actions, and threat hunting for analysis and discussions. |
| Review the resolutions of the Information Security Intelligence Center and the implementation of measures such as information security monitoring points. | ||
| Review vulnerability scan reports | Quarterly | Review web and host vulnerability scanning reports and track the progress of vulnerability rectification, and continuously track vulnerability to strengthen information security capacity. |
| Review penetration test reports | Semiannually | Execute penetration tests for web pages and SWIFT to track the progress of vulnerability rectification and strengthen information security capacity. |
Information Security Management Process and System
According to the "Information Security Policy" of SinoPac Holdings, all units shall process information security incidents in accordance with the "Emergency Incident Response Rules". The Information Security Division shall evaluate the scope of the impact, specify the scope of the evaluation of impact, prepare the response plans, and report the response plans. It shall also report to the convener of the Information Security Committee for necessary decision making and work assignments. In addition, SinoPac Holdings and subsidiaries execute the Business Continuity Plan (BCP) and tests for response to emergency incidents to improve the Business Continuity Plan.
Information Security Incident Escalation Process
