As a critical infrastructure, cybersecurity is a fundamental to Telecommunication business. Chunghwa Telecom Co., Ltd. (“Chunghwa Telecom”) is a leading telecommunication company with a mission to provide safe, reliable, and valuable services of the highest global standards in the cybersecurity arena. Through in-house developed Intelligent Security Operation Center (CHT SOC), Chunghwa Telecom takes a proactive tactic to uncover malicious behaviors and to hunt possible cyber threats in early stage. Cybersecurity Policy and Privacy Protection Policy are thoroughly implemented, embedded in daily operation, and continuously refined in accordance with Plan-Do-Check-Action cycle. Chunghwa Telecom achieves zero tolerance in major cybersecurity and privacy incidents to contribute to evolvement of smart living and digital economy.
Check out our “Cybersecurity Policy ”
1. Organization Operation
“Cybersecurity and Privacy Protection Steering Committee” has established in Chunghwa Telecom (as the Figure below). An SEVP-level officer is appointed by the Chairman as CISO to convene both “cybersecurity working group” and “personal data and privacy protection working group” periodically, oversee and manage protection of cybersecurity and privacy, and report to the Board regularly.
Cybersecurity management department has been established since 2016 to align with the laws and regulations as well as technology developments for rising business, coordinate with formulating cybersecurity policy and rules, and centralize ICT equipment for cybersecurity monitoring and joint defense. These will reduce the corporate cybersecurity risk, promote rising business, and offer clients safe and reliable digital services.
2. Cybersecurity Governance
Given that the trends of new technology and applications (e.g. 5G, IoT, AI, and cloud services), cybersecurity threats have evolved into multi-faceted mixed attacks. In addition, malware attacks, which are often imbedded into supply chain software, have become more frequent and diverse, and would adversely impact business services or privacy leakage. Chunghwa Telecom enacts cybersecurity policy in line with operational objectives and promotes managerial solutions progressively to fully support with business strategies and goals. These include the following:
Implementing the appropriate risk management strategies, introducing security requirements into design phase (security by design), and practicing rigorous cybersecurity protection management. These are conducted while selecting and supervising suppliers in an appropriate manner, to ensure supply chain security and enhance privacy protection.
Deploying multi-layer, in-depth security protection and detection mechanisms, as well as the Intelligent Security Operation Center(SOC), to uncover malicious behaviors and hunt down possible cyber threats at an early hacking stage. Meanwhile, through threats intelligence gathering and early warning mechanisms, the Company will acknowledge cybersecurity incidents timely and process emergency incident response to have any damage controlled at a very early stage.
Conducting Red Team Security Assessments and joint cybersecurity defense with national-level C-ISAC, including IOCs and threat intelligences exchanging, malicious website taking down. Moreover, the Company participates in national-level drills of Critical Infrastructure to ensure the effectiveness, safety and resilience of system and data protection.
Cybersecurity trainings and promotions are organized for employees to enhance their cybersecurity and privacy protection awareness. In the meantime, penetration test, internal/external and third-party auditing are held to evaluate the effectiveness of cybersecurity activities. And the results are reported to the executive levels on a regular basis. Through the Plan-Do-Check-Act (PDCA) cycle, actions regarding cybersecurity and privacy protection management are continuously improved to ensure its compliance and effectiveness of cybersecurity and privacy protection.
3. Cybersecurity Risk Management
To ensure the security of ICT systems and critical infrastructure, Chunghwa Telecom refers the NIST Cybersecurity Framework (CSF) and in accordance with domestic and international standards and regulations to establish Cybersecurity and Privacy Protection Risk Management Framework” (shown as the figure below) for preventing possible risks, implementing effective measures for cybersecurity and privacy protection.
Chunghwa Telecom evaluates the maturity of cybersecurity governance with risk management and amends the cybersecurity policy and guidelines in accordance with the results of internal and external risk assessment annually. Promoting training for employee’s awareness and performance will be integrated with appraisals, and also conducting regularly internal/external auditing. Chunghwa Telecom has been certified by competent authorities and third-party (ISO 27001, ISO 27011, BS10012, CSA STAR Certification, the certificates continue to be valid), to provide a better cybersecurity and privacy protection for clients.
4. Resources Allocated in the Cybersecurity
Chunghwa Telecom is a professional security solution provider with all-round cybersecurity integration competencies including, threat detection intelligence and early warning capabilities. We offer services including expert infiltration test and cybersecurity diagnostics. The CHT SOC also has a dedicated cyberseucirty red team with dedicated personnel seasoned with cybersecurity experiences of more than a decade and with cybersecurity certificates like CEH, ECSA, or GWAPT. They work as an independent third party for vulnerability analysis. Should a vulnerability be detected in the testing, it is imperative to complete patching and pass the retest within one month.
For years, Chunghwa Telecom has invested huge resources to incubate brilliant cybersecurity talents and elevate the self-reliant R&D energy in terms of cybersecurity. Over 100 strong of dedicated cybersecurity personnel and cybersecurity R&D teams are allocated. Apart from regular organization of education and trainings for all employees on cybersecurity and privacy protection, which have attained the goal of 100%, training courses pertaining to cybersecurity and privacy protection for professional fields such as system management, network management, software development, cybersecurity management, penetration Test, and privacy protection are organized. Also, subsidies are available for employees to obtain external professional certifications. Over 830 international certificates have been acquired, including ISO27001 LA, CISSP, GWAPT, CEH, CHFI, ECSA, CISA, MCSA, and BS10012 LA.
5. Cybersecurity Incidents
The performance in cybersecurity and privacy protection risk management has been tracked and managed on a monthly basis by “Risk Management Committee” of Chunghwa Telecom. Any major risk concern will be reported to the Audit Committee under the Board of Directors or directly to the Board of Directors. For the major domestic security incidents over the years, Chunghwa Telecom has deployed with prevention mechanisms in advance, such as disabled Network Neighborhood (SAMBA) function, enabled AD domain security control and blocked APT malicious emails, as well as leveraged CHT SOC with intelligence to detect unknown threats and violations. And, with IOCs produced from the in-house developed threat intelligence system, CHT SOC can track and check the impacts of external threats rapidly. Up to 2020, Chunghwa Telecom did not receive any impact to Chunghwa Telecom’s businesses due to cybersecurity or privacy breach, nor does it receive any punishment or fine arising from such impact. In 2020, we bridged ourselves to the world, planning for purchasing “data protection insurance” which will take place in 2021.
Dedicated Cybersecurity Management Department in Chunghwa Telecom: Cyber Security Department
For more information of “Cybersecurity and Privacy Protection” of Chunghwa Telecom, kindly refer to the Annual Report. (Go to the Annual Report of Chunghwa Telecom )