Taiwan Mobile adopts ISO 27001 information security management system, and its privacy protection has obtained ISO27701 privacy protection management certification. Both of them refer to ISO 27005 risk management standard to identify and manage risks. Taiwan Mobile has set up the Cyber Security and Data Privacy Protection Committee, which invites independent directors, Dr. Chung who has Information and security related background during his term of office at the Executive Yuan (the Cabinet) of Taiwan, for observation and invest resources to implement control. TWM handles internal and third-party audits every six months. Here is an overview of its operations:
Jamie Lin, the President of TWM appointed Ivan Lee as Chief Information Security Officer (CISO) due to his extensive experience in cybersecurity and communications. He has completed Certified Information Security Manager (CISM) course and experiences in IS/IT security and control.
TWM's CISO is responsible for establishing and maintaining the organization’s vision, strategy, and program to ensure information assets and technologies are well protected.
TWM has established the ICT and Personal Information Security Management Division, which is responsible for supervising and reviewing all aspects of information security across implementation, supervision and management. The Company has formed the Cyber Security and Data Privacy Protection Committee, which is responsible for supervising and reviewing all matters concerning the implementation of the personal information and information security management system.
We pay high attention to the latest information security issues. Therefore, we set up a [Mobile Broadband information security group] under the Cyber Security and Data Privacy Protection Committee, inviting manager/ deputy manager-level supervisors from all technical units to participate in the group to effectively resolve any mobile broadband related security issues.
TWM’s ICT and Personal Information Security Management Division, which is designated department responsible for privacy issues. The processing flow is as below.
In the event that a request for customer information received from government or law enforcement agencies, TWM carefully reviews each request to ensure such request complies with legal procedure and conditions, including but not limited to “Regulations on Telecommunications Business Handling the Related Authorities Inquiring Telecommunications Communication Record”, “Regulations on Telecommunications Business Handling the Related Authorities Inquiring Telecommunications User Information” and any other related regulations stipulated by the competent authority. If a request fails to meet these compliance with all legal procedures or conditions, TWM declines to provide the requested information. The Company is committed to maintaining the balance between the protecting the customer information and privacy and lawful assistance for public safety. In 2024, the number of requests for customer information by law enforcement agencies is 270,578, the percentage that TWM provides as request is 99.98 %.
Taiwan Mobile regards information security and personal data protection as a core element of corporate governance. The information security policy of Taiwan Mobile shall be implemented upon the approval of the president or their designated representative, and the same procedure shall apply to any amendments. The policy is summarized as follows:
Purpose
To ensure the continuity of business operations, strengthen the information security management system, and safeguard the confidentiality, integrity, and availability of information assets. This policy aims to ensure compliance with applicable laws and regulations, effectively and reasonably reduce operational risks, and serve as the guiding principle for information security management.
Objectives
Scope of Information Security Management
The Policy is implemented through 14 control domains, aim to prevent incidents such as data misuse, leakage, alteration, or destruction of data from human error, intentional misconduct, or natural disasters. The control domains are as follows:
The company assigns information security responsibilities to all employees and applies the PDCA (Plan-Do-Check-Act) model to conduct regular, independent, and objective annual assessments. These assessments evaluate the status of information security policies, applicable regulatory compliance, technologies, and business practices. The objective is to ensure practical implementation of the Information Security Policy, verifying the effectiveness and feasibility of the information security practices for continuously improving information security systems.
To build company-wide awareness, all employees must complete 3 hours of mandatory information security training annually. In addition, IT staff must complete 9 hours of elective information security courses, while sales staff must complete 3 hours of elective courses. Taiwan Mobile is committed to continuously improves its information security systems through regular internal and external audits, information security assessments and other technical inspections each year.
Taiwan Mobile , in accordance with the Cybersecurity Act’s and ISO standards, and with reference to the results of risk assessment and business impact analysis, incorporates compound scenario designs involving natural disasters, human-induced incidents, or cybersecurity events. We have established some Business Continuity Plans (BCPs) and exercised annually. The exercise report must include review and improvement measures, with continued enhancements implemented after approval by management. When the company’s critical business processes are unable to continue operating, necessary alternative measures will be implemented and safe recovery carried out in order to ensure employee safety and the continuity of critical business operations, thereby reducing the losses caused by the incident.
Taiwan Mobile regular employees and non-regular employees (including temporary staff or third-party personnel assigned to the company) must immediately report any suspected information security event to their direct supervisor. The direct supervisor shall notify the responsible authority and the Information Security Officer according to the nature of the event. If the Information Security Officer determines that the event qualifies as an incident, he/she shall promptly follow the reporting procedures and take necessary response measures to minimize potential damage.