A rock-solid secure ICT infrastructure is the foundation for any telecommunication services. Chunghwa Telecom (referred to as the Company hereinafter) aims to achieve its cybersecurity vision of “establishing the most valuable, secure, reliable, and trustworthy telecom service provider that meets international standards.” The Company formulated rigorous risk management and protection measures to uncover hidden, malicious behaviors and hunt down potential threats in time in the early stage of hacker attacks in a more proactively fashion. Meanwhile, with international cybersecurity standards introduced, it has established the joint defense mechanisms with governments and international cybersecurity organizations, effectively enhancing the overall cybersecurity defense and response capabilities of the Company and ensuring the security of operation and customer information.
Aiming for “zero tolerance,” we implement “Cybersecurity Policy” and “Privacy Protection Policy” right from the start. Pursuant to the spirit of ISO 27001 Information Security Management System and the Plan-Do-Check-Act (PDCA) cycle, we constantly review and improve in these regards before embedded into the everyday operations, so as to achieve the goal of ZERO occurrence in both major cybersecurity breach and privacy incidents.
Cybersecurity Management Strategy and Structure
Cybersecurity Management Organizations
To ensure an effective operation of cybersecurity management, “Cybersecurity and Privacy Protection Management Committee” has been established at Chunghwa Telecom. The Chairman represents the Board of Directors to oversee the Cybersecurity Policy. Meanwhile, the President has been appointed as the convener, and a SEVP as the Chief Information Security Officer (CISO), dedicated to the supervision of matters concerning the Company’s internal cybersecurity. The CHT SOC, established in 2013, is seasoned with experiences in large-scale hacking and defense scenarios. A department dedicated to ICT security management, Cybersecurity Department, has been set up in 2016 as the executive secretariat.
Meetings of “Cybersecurity Working Group” and “Privacy Protection Working Group” are held regularly. Results of cybersecurity, personal information, and privacy protection management are reported to the Board of Directors.
Cybersecurity Management Organizations at CHT – The 3-Level Structure and Responsibilities
Aside from establishing an information security management system in line with international standards, with risk management at the core, we evaluate the maturity levels of cybersecurity management and amend “Cybersecurity Policy” and relevant regulations in accordance with the results of external and internal risk assessments as appropriate on an annual basis.
With the goal of “Attention & Implementation of Cybersecurity by All,” we have incorporated “Information Security” as a KPIs for employees. At present, all of the IT infrastructures of Chunghwa Telecom have 100% passed the inspections by competent authorities and are certified to international cybersecurity standards (ISO 27001 / ISO 27011 / ISO27017 / ISO27018 / ISO27701 / BS10012 / CSA STAR Certifications).
In addition, to ensure the security of “ICT systems” and “critical infrastructure,” with reference to the NIST Cybersecurity Framework (CSF) and in pursuance of the standards and regulations, domestically and internationally, Chunghwa Telecom established “Cybersecurity and Privacy Protection Risk Management Framework” to put in place specific and effective measures for cybersecurity and privacy protection so as to prevent any potential cybersecurity risk.
To fully support and achieve the strategies and goals of various businesses, the Company established the “Cybersecurity Policy” in line with the operational goals, which has been approved by the Chairman and published on the Enterprise Information Portal (EIP) and the corporate website to demonstrate Chunghwa Telecom’s commitment to “Zero Tolerance” for cybersecurity incidents to all employees, customers, and suppliers. We have implemented specific and effective measures for cybersecurity and privacy protection, including Diversity and Defense-in-Depth for cybersecurity protection and management, intelligent security operation center, and cybersecurity threat detection and warning, critical infrastructure and ICT system operation continuity management, real-time incident report and rapid response mechanism, third-party external cybersecurity testing and diagnostics, etc. Following the Plan-Do-Check-Act (PDCA) management cycle, the Company constantly improves management practices in cybersecurity and privacy protection on a rolling basis. （Go to Annual Report）
Cybersecurity and Privacy Protection Measures: Risk Identification; Defense & Detection; Rapid Response; Review and Correction