Taishin FHC Corporate Social Responsibility Report 2019

39 Sustainable Governance Transaction Security Mechanism Education and Drills Supplier Management Information Security Awareness and External Party Management Global Digital Corporate BankingNetwork Information Security Training and Aawareness Raising Information Service Outsourcing Assessment 3h 15h 4-6 times • • • • • Vendor's Criteria for Outsourcing of Major Information Processes Market reputation Technical capabilities Competency for the outsourced service Degree of ompliance egarding confidential operations Taishin Bank has a set of "Information Service Outsourcing Guidelines" in place that outlines the standard operating procedures and rules concerning outsourcing of information service. The guidelines cover several issues including outsourced custody of computer hardware/software, and outsourcing of information process and service. To ensure the safety and feasibility of outsourced processes, the project handler collaborates with employees from the IT Division to perform comprehensive and rigorous supplier assessments as well as risk assessments on selected vendors. Credit assessments are performed where appropriate to ensure the quality of internal processes and the vendor's ability to provide services in the best interest of the Bank and customers. Taishin has obtained multiple security certifications and adopted proper encryption mechanism to ensure that data is protected. Transaction verification mechanisms such as mobile device linkage, real-time SMS, transaction detection system etc are used for security purpose. Using biometric/account/ one-time password for verification, Taishin is able to ensure the timeliness, convenience and security of new transaction tools including near-field contact and remote credit card. Having adopted appropriate measures to ensure data security in customers' best interest. Having adopted appropriate measures to ensure the integrity of account data and transaction records. Having adopted appropriate measures, based on the sensitivity of the data and the transmission/storage method involved, to maintain the confidentiality of key information. Having adequate capacity for the outsourced information system, and having developed an effective business continuity and disaster recovery plan to ensure the continuity of the information system and its service. Having implemented emergency procedures to ensure proper functioning of the information system and services. Introduced anti-phishing fraud detection services to bring down the large number of fake websites and apps to protect consumer transaction security. Mobile device Digital channel Trading websites and Apps Information Security Professional Training Social Engineering Drill All employees of the Bankmust undergo at least 3 hours of "InformationSecurity Awareness" training and assessment each year. The training covers abroad variety of topics fromregulations, social engineering advocacy, basic security awareness, customer personal information protection, to security incident studies, and is intendedto develop proper information security awareness among employees. Training coverage and completion rates for 2019 were both 100%.  The InformationSecurity Department issues information security notices to all bank employees as neededto continuously strengthen staff awareness onthe issue. All personnel in the information security units have completed at least 15 hours of external information security education and training in accordancewith the requirements of their duties tostrengthen their professional capabilities. Each information security contact fromevery unit attends training courses facilitated by external information security experts to strengthen their information security knowledge and know-howannually. All employees of the Bank are required to undergo irregular social engineering drills, such as phishing email simulation, 4-6 times ayear. Test results are further analyzed to identify employeeswith inadequate information security awareness, for whomthe Bankwill arrange additional training toaddress theweak link andminimize the risk of threat.