Information Security Policy and Protection


Taiwan Mobile adopts ISO 27001 information security management system, and its privacy protection has obtained ISO27701 privacy protection management certification. Both of them refer to ISO 27005 risk management standard to identify and manage risks. Taiwan Mobile has set up the Cyber Security and Data Privacy Protection Committee, which invites independent directors, Dr. Chung who has Information and security related background during his term of office at the Executive Yuan (the Cabinet) of Taiwan, for observation and invest resources to implement control. TWM handles internal and third-party audits every six months. Here is an overview of its operations:

  1. The Company president appoints the committee’s chairman, and the top executive of each functional organization shall assign committee members.
  2. Meet at least once a quarter.
  3. Operations of working groups under the committee:
    • Operations maintenance team: Meet at least once a quarter to implement and improve personal information and information security measures.
    • Internal audit team: TWM colleagues with audit certificates would carry out an internal audit every six months.
    • Emergency response team: Convened by the committee chairman depending on the nature of the incident.
    • Mobile broadband team: Appointed by top managers from technology and operation departments.

Jamie Lin, the President of TWM appointed Ivan Lee as Chief Information Security Officer (CISO) due to his extensive experience in cybersecurity and communications. He has completed Certified Information Security Manager (CISM) course and experiences in IS/IT security and control.

TWM's CISO is responsible for establishing and maintaining the organization’s vision, strategy, and program to ensure information assets and technologies are well protected.

TWM has established the ICT and Personal Information Security Management Division, which is responsible for supervising and reviewing all aspects of information security across implementation, supervision and management. The Company has formed the Cyber Security and Data Privacy Protection Committee, which is responsible for supervising and reviewing all matters concerning the implementation of the personal information and information security management system.

We pay high attention to the latest information security issues. Therefore, we set up a [Mobile Broadband information security group] under the Cyber Security and Data Privacy Protection Committee, inviting manager/ deputy manager-level supervisors from all technical units to participate in the group to effectively resolve any mobile broadband related security issues.

TWM’s ICT and Personal Information Security Management Division, which is designated department responsible for privacy issues. The processing flow is as below.

  1. If a personal data incident occurs, the ICT and Personal Information Security Management Division will receive a notification.
  2. The ICT and Personal Information Security Management Division perform incident classification according to the impact and timeliness requirements for incident handling.
  3. If a major incident occurs, a response team will be established to conduct incident investigation and draw up a contingency plan.
  4. The ICT and Personal Information Security Management Division held a post-event review meeting to formulate a future prevention mechanism for the incident.

In the event that a request for customer information received from government or law enforcement agencies, TWM carefully reviews each request to ensure such request complies with legal procedure and conditions, including but not limited to “Regulations on Telecommunications Business Handling the Related Authorities Inquiring Telecommunications Communication Record”, “Regulations on Telecommunications Business Handling the Related Authorities Inquiring Telecommunications User Information” and any other related regulations stipulated by the competent authority. If a request fails to meet these compliance with all legal procedures or conditions, TWM declines to provide the requested information. The Company is committed to maintaining the balance between the protecting the customer information and privacy and lawful assistance for public safety. In 2024, the number of requests for customer information by law enforcement agencies is 270,578, the percentage that TWM provides as request is 99.98 %.

Information Security Policy

Taiwan Mobile regards information security and personal data protection as a core element of corporate governance. The information security policy of Taiwan Mobile shall be implemented upon the approval of the president or their designated representative, and the same procedure shall apply to any amendments. The policy is summarized as follows:

Purpose

To ensure the continuity of business operations, strengthen the information security management system, and safeguard the confidentiality, integrity, and availability of information assets. This policy aims to ensure compliance with applicable laws and regulations, effectively and reasonably reduce operational risks, and serve as the guiding principle for information security management.

Objectives

  1. Ensure the continuity of the Company’s business operations
  2. Maintain uninterrupted operation of the Company’s critical business functions
  3. Protect customer data integrity and prevent unauthorized use or disclosure
  4. Prevent misuse or unauthorized use of information and communication assets
  5. Strengthen defenses against external threats, including hacking, malware, and other cyberattacks, and monitor and respond to information security threats
  6. Prevent operational errors and accidents caused by human negligence

Scope of Information Security Management

The Policy is implemented through 14 control domains, aim to prevent incidents such as data misuse, leakage, alteration, or destruction of data from human error, intentional misconduct, or natural disasters. The control domains are as follows:

  1. Development and evaluation of the information security policy
  2. Formation and assignment of responsibilities for information security organization
  3. Personnel security and training
  4. Asset classification and control
  5. Access control
  6. Data encryption and protection
  7. Physical and environmental security management
  8. Operational security management
  9. Communications security management
  10. System development and maintenance
  11. Supplier security management (include Establishing information security requirements for third parties)
  12. Security incident management
  13. Business continuity management
  14. Internal audits and other relevant controls
Information Security Assessment

The company assigns information security responsibilities to all employees and applies the PDCA (Plan-Do-Check-Act) model to conduct regular, independent, and objective annual assessments. These assessments evaluate the status of information security policies, applicable regulatory compliance, technologies, and business practices. The objective is to ensure practical implementation of the Information Security Policy, verifying the effectiveness and feasibility of the information security practices for continuously improving information security systems.

To build company-wide awareness, all employees must complete 3 hours of mandatory information security training annually. In addition, IT staff must complete 9 hours of elective information security courses, while sales staff must complete 3 hours of elective courses. Taiwan Mobile is committed to continuously improves its information security systems through regular internal and external audits, information security assessments and other technical inspections each year.

Information security-related business continuity plan

Taiwan Mobile , in accordance with the Cybersecurity Act’s and ISO standards, and with reference to the results of risk assessment and business impact analysis, incorporates compound scenario designs involving natural disasters, human-induced incidents, or cybersecurity events. We have established some Business Continuity Plans (BCPs) and exercised annually. The exercise report must include review and improvement measures, with continued enhancements implemented after approval by management. When the company’s critical business processes are unable to continue operating, necessary alternative measures will be implemented and safe recovery carried out in order to ensure employee safety and the continuity of critical business operations, thereby reducing the losses caused by the incident.

Escalation process for employees to report incidents, vulnerabilities or suspicious activities

Taiwan Mobile regular employees and non-regular employees (including temporary staff or third-party personnel assigned to the company) must immediately report any suspected information security event to their direct supervisor. The direct supervisor shall notify the responsible authority and the Information Security Officer according to the nature of the event. If the Information Security Officer determines that the event qualifies as an incident, he/she shall promptly follow the reporting procedures and take necessary response measures to minimize potential damage.