Article 1 (Purpose of policy)
                  Chunhwa Post provides post, deposit and remittance and life insurance services to the general public for supporting the economic development, social stability and national policy.
                  Considering the company's business needs, this policy is established to safeguard the confidentiality, integrity and availability of the important personal and transaction data stored in the company's information system.  

Article 2 (Scope of application)
                  The staff of the company and the vendors with business relationship with the company and
                  visitors must abide by this policy.

Article 3 (IT security objectives)
The Company's information security objectives are as follows:
1.To ensure the confidentiality of the Company's information assets with thorough implementation of data access control which allows information to be accessed only when approved by the authorizing personnel.
2. To ensure the correctness and completeness of the Company's information processing methods.
3. To ensure the continued operation of the Company's information system.

Article 4 (Information security control measures)
              1.  Establishment of information security and personal data protection and management
                    committee and the information security promotion team for verification of the effectiveness
                    of information security management operations.
              2.  All the units must establish the information asset inventory and stipulate the owner. They
                   should conduct risk assessment based on the risk levels of the information. A risk control
                   measure must be taken for the risk higher than the acceptable level to reduce the risk and all
                   the control measures must be truly implemented continuously..
              3.  Necessary assessment must be conducted for personnel recruitment and the recruited
                   person must sign the relevant operation regulations. Employees must participate in the
                   information security education and training to raise awareness of the information security.
              4. Access control and regulations for objects carried into and out from the company's building
                   and information security control area must be truly implemented.
              5.Clearly identify the information security of all the products, services, processes, networks
                   and IT infrastructure in order to make sure that the risks have been found and proper
                   protective measures have been deployed.
              6.Backup or monitoring mechanisms must be established for important equipment for
                  maintaining their usability. The staff's PCs must be installed with anti-virus software and
                  updated virus codes must be verified periodically. The use of non-licensed software must be
                  prohibited.
              7.  The accounts, passwords and rights held by the staff must    be kept and used properly. The
                   administrators must check and review the information regularly every year. Important
                   system operation information must be regularly backed up and stored at different locations.
              8.  The deployment of security and control mechanisms must be considered in the initial stages
                   of system development. If the development is outsourced, the control and information
                   security requirement must be emphasized. Attention must be given to the schedule of
                   system development to avoid delays and chaos.
              9. Devise a proper information security incidents and vulnerabilities response and report
                   procedure in order to immediately respond to information security incidents for preventing
                   the expansion of damages.
              10.A sustainable operation plan must be established, exercised   regularly and updated
                    continuously.  
              11.Daily The staff must truly implement the review and verification system to maintain the
                     authenticity of the information. The supervisors must supervise the implementation of
                     information security compliance system; strengthen awareness of information security and
                     related legal regulations.
              12. If there is a need for vendors and visitors dealing with the Company for business to access
                     the Company's information, necessary reviews must be conducted. The personnel in
                      charge have the responsibility to safeguard the information asset of the Company.


Article 5 (Review and revision)
        The policy shall be reviewed and revised by the information security management organization as necessary and shall be announced for implementation after approval.