Information Security
Information Security Policy
We have established an information security policy and information security management system to ensure the confidentiality, completeness, and availability of information assets, and also aims to achieve compliance of information operations and services by implementing information security risk management. In response to the expansion and diversity of the insurance business, we made information security internal controls and related regulations applicable to the entire company. As such, business units not only play the role of user, but also play the role of responsible unit and maintenance unit, which further enhances the Company's overall information security management.
The Company implemented a management system according to the international information security management framework to ensure solid information security. We have also maintained the effectiveness of our ISO 27001 Information Security Management System certification, and improved our protection for customers' rights and interests.
Information Security Measures and Actions
Participation in Information Security Joint Defense
The Company actively participates in the joint defense of financial institutions, and submitted an application to join the Financial Information Sharing and Analysis Center (F-ISAC) of the FSC, becoming one of the first members in 2017. We continue to share detection and blocking intelligence from our information security equipment after deidentification for the F-ISAC to conduct integrated analysis. KGI Life ranked first place in the Insurance Division in 2023 and was recognized by the F-ISAC for excellent performance in intelligence sharing in 2023. This allows us to prevent incidents from occurring, take caution against small matters during incidents, and minimize the damage afterwards. The Company has attended 22 FISAC conferences and seminars as of 2023.
Establishing a Security Operation Center (SOC)
The Company established a Security Operation Center (SOC) to monitor, detect, and discover information security incidents 24/7, increasing information security incident monitoring capabilities. KGI Life integrated the SOC with the information security log incident management and analysis system to conduct multi-dimensional association analysis. Information security analysts perform the analysis and provide recommendations to achieve precise reporting and warning of information security incidents in real-time.
The immediate reporting of information security incidents will significantly improve the effectiveness of subsequent tracking, response, and handling, properly handling information security incidents to reduce the hazard.
The immediate reporting of information security incidents will significantly improve the effectiveness of subsequent tracking, response, and handling, properly handling information security incidents to reduce the hazard.
System Backup and Incident Response Drills
The Company regularly conducts core information system disaster recovery drills, computer system information security assessments, external website penetration tests, and company-wide social engineering drills in response to the ever changing external attack methods and to reduce the impact of information operation interruptions due to emergencies or abnormalities, so as to ensure the security of the Company's information facilities and product sensitive data as well as customers' personal data.
The websites of government agencies and important livelihood services are often the target of Distributed Denial of Service (DDoS) attacks launched by hacker organizations, resulting in the websites of some agencies going offline. To strengthen defense and response capabilities for DDoS attacks, the Company conducted DDoS drills in 2023 to verify the ability of its website or servers to withstand DDoS attacks, and verify the effectiveness of defense plans.
The websites of government agencies and important livelihood services are often the target of Distributed Denial of Service (DDoS) attacks launched by hacker organizations, resulting in the websites of some agencies going offline. To strengthen defense and response capabilities for DDoS attacks, the Company conducted DDoS drills in 2023 to verify the ability of its website or servers to withstand DDoS attacks, and verify the effectiveness of defense plans.
Supplier Information Security Management and Performance
To ensure that the information security level of third-party partners is consistent with that of the Company, we not only review the information security of vendors we do business with and their employees, but also require them to comply with the Company's information security regulations. The Company has also established "Information System Operation Outsourcing Management Regulations" to standardize planning, bidding, contract, performance, acceptance, warranty, and verification, and thereby protect the rights and interests of the Company and customers.
For current suppliers, the Company periodically evaluates services provided by the supplier and further introduced the Security ScoreCard mechanism in 2021, which examines the information security maturity of the supplier's external systems, and includes them as evaluation items to make supplier attach greater importance to information security. We also periodically supervise and audit contractors every year (which includes information security review matters), to verify the overall service abilities and standards of contractors, which serves as the basis for subsequent contractor selection.
For current suppliers, the Company periodically evaluates services provided by the supplier and further introduced the Security ScoreCard mechanism in 2021, which examines the information security maturity of the supplier's external systems, and includes them as evaluation items to make supplier attach greater importance to information security. We also periodically supervise and audit contractors every year (which includes information security review matters), to verify the overall service abilities and standards of contractors, which serves as the basis for subsequent contractor selection.
Information Security Education and Training
The Company's dedicated information security personnel receive at least 15 hours of professional information security training each year. Information security personnel of each department must take at least 6 hours of courses on information security communication and operations. For office staff, the Information Security Department plans 3 hours of information security training each year, online information security training for new employees, and irregularly sends company-wide e-mails promoting information security, in order to continue improving the information security literacy of the Company's employees.