Information Security and Cyber Security Governance Framework
To ensure smooth management of information security, the senior executive vice president, acting as the chief of information-communication, convenes an "Information Security Executive Task Force", to which the Department of Auditing of the Board of Directors, the Department of Risk Management, Department of Compliance, Department of Information Management, Department of Cyber Security, and 13 other units have joined as members. The Department of Cyber Security policy assumes the role of secretariat to organize, coordinate, and study policies, and actions and allocation of resources for information security. The task force adopts "Security Standards for Financial Information Systems" and reports "Computer work safety countermeasures" regularly to ensure sufficient security.
Information Security and Cyber Security Management
To ensure the confidentiality, integrity, and availability of information assets are protected, we adopt a Cyber Security Policy and Enforcement Rules of The BOT Information Security Management, and closely monitor and follow updates to applicable external laws, authorities' directives, and our implementation. We assess and make improvements to ensure the regulations fully accommodate information asset, and internet and system security management. Since 2008, BOT has obtained ISO 27001 Information Security Management System certification and continues to maintain the effectiveness of international verification of information security management.
In addition, we have established a procedure in accordance with the "Information Assets and Risk Assessment Management Regulations" to identify information asset risks, internal information security risks, and the level of preparedness of our system. In 2023, we conducted two risk assessments and identified four high-risk events, which have all been corrected.
Information Asset Risk Evaluation Procedure
Information Security Testing Plans
| Information Security Testing Plans | ||
|---|---|---|
| System security vulnerability scanning plans | Penetration testing plans | Information security assessment plan for computer systems |
Information Security Management Improvements
| System/measure | Description |
|---|---|
| Anti-virus software | We have installed anti-virus software (including secure web gateways) to protect the security of servers, work stations, and personal computers, Additionally, we regularly review operation status of anti-virus software and server to maintain the security of our information and communications systems and networks. |
| Cybersecurity firewalls | We have constructed a three-tier network firewall architecture using firewalls from different brands, and segregated networks based on business types, servers, and clients to protect internal mainframes as well as the security and normal operations of network equipment. |
| Email filtering mechanism | We use a secure email gateway system equipped with an anti-virus engine to filter spam and block email attachments containing known viruses, spyware, trojans, ransomware, and other malicious programs in combination with sandbox systems and gateway email protection systems to conduct analysis and blocking procedures. |
| Intrusion detection and defense mechanisms (McAfee) | Detects possible attacks and instantly blocks malicious or unauthorized applications or connections while also providing protections against zero attacks targeting system vulnerabilities to prevent abnormal connections from malicious programs. |
| Application firewalls | We have enabled Web Application Firewalls (WAF) and DDoS defenses on application service load balancers to defend against SQL injections, cross-site scripting, brute force logins, and other external attacks to protect the security of external information communication systems and websites. |
| Advanced persistent threat protections | We have established Deep Discovery Inspector (DDI) and Deep Discovery Analyzer (DDA) systems to detect threatening network behaviors, identify threats in suspicious programs and connections, and strengthen threat detection and protection capabilities. |
| DDoS defense system | We have signed guaranteed bandwidth contracts with telecommunications service providers to ensure that BOT can provide external services during DDoS attacks. |
| Cyber Security threat detection and management system | We have adopted endpoint detection and response solutions to strengthen the detection of abnormal endpoint behaviors in internal devices, investigate suspicious activities, reduce the risk of intrusion from malicious programs, and enhance multi-layered defense-in-depth mechanisms. |
Information Security and Cyber Security Education and Training
We hold information security training every year for our employees as stipulated in the "Regulations on the Classification of Cyber Security Responsibility Levels" and "Implementation Rules of Internal Audit and Internal Control System" of Financial Holding Companies and the Banking Industry.
Cyber Security Incident Management and Drills
In accordance with the "Cyber Security Management Act" and BOT's "Regulations on the Notification and Response of Cyber Security Incident", we have adopted a reporting and response procedure, and established a Computer Security Incident Response Team (CSIRT) to coordinate responses and process capacity for related matters across all units. We also establish external partnerships to conduct cyber security intelligence sharing and to implement an interbank cyber security joint defense mechanism. We have also adopted "Notice for Crisis Reporting", and all units can submit a report online of any incidents through the intranet. No major Cyber security incidents occurred in 2023.
Cyber Security Incident Drill
Each year we conduct unscheduled cyber security incident drills as required by the FSC to simulate attacks and assess the awareness of personnel with proper reporting procedures. In 2023, we completed the drill in time and met requirements. We also conducted 12 cyber security incident procedures and disaster backup drills.
Continuous Operations Drill
To reinforce critical data infrastructure protection, we have completed ISO 22301:2019 certification for internet banking service, corporate service, and tuitions and fees apply portal service, ensuring a safe information management system for business continuity. Based on the information system backup drill in 2023, we completed 111 drills to ensure continuous operations, and 14 infrastructure backup drills, which included countermeasures as part of job scope, operating procedure, and allocation of resources. Meetings were arranged after the drills to follow up on best practice and improvement.
Social Engineering Drills
We joined two drills by the MOF and convened four social engineering drills, with the open rate of malicious emails targeted at lower than 0.4% and click rate lower than 0.4%. The target was reached in the second test. We requested root cause and action plans from colleagues who opened and/or clicked on links in the emails, and organized trainings and post-training tests. Furthermore, we emphasized email safety and included the drill results in the business performance review to raise information security awareness.
Red Teaming
Based on FSC released the "Financial Cyber Security Action Plan 2.0", FSC encouraged the financial institutions to simulate hacker's view and behavior, then test the effectiveness of security operation center (SOC) monitoring and cyber attack protection process regularly. We commissioned a professional third-party company to perform Red Teaming in 2023, and we have fixed the vulnerabilities and improved the defenses of cyber security.