Article 1 (Purpose of policy)
Chunhwa Post provides post, deposit and remittance and life insurance services to the general public for supporting the economic development, social stability and national policy.
Considering the company's business needs, this policy is established to safeguard the confidentiality, integrity and availability of the important personal and transaction data stored in the company's information system.
Article 2 (Scope of application)
The staff of the company and the vendors with business relationship with the company and
visitors must abide by this policy.
Article 3 (IT security objectives)
The Company's information security objectives are as follows:
1.To ensure the confidentiality of the Company's information assets with thorough implementation of data access control which allows information to be accessed only when approved by the authorizing personnel.
2. To ensure the correctness and completeness of the Company's information processing methods.
3. To ensure the continued operation of the Company's information system.
Article 4 (Information security control measures)
1. Establishment of information security and personal data protection and management
committee and the information security promotion team for verification of the effectiveness
of information security management operations.
2. All the units must establish the information asset inventory and stipulate the owner. They
should conduct risk assessment based on the risk levels of the information. A risk control
measure must be taken for the risk higher than the acceptable level to reduce the risk and all
the control measures must be truly implemented continuously..
3. Necessary assessment must be conducted for personnel recruitment and the recruited
person must sign the relevant operation regulations. Employees must participate in the
information security education and training to raise awareness of the information security.
4. Access control and regulations for objects carried into and out from the company's building
and information security control area must be truly implemented.
5.Clearly identify the information security of all the products, services, processes, networks
and IT infrastructure in order to make sure that the risks have been found and proper
protective measures have been deployed.
6.Backup or monitoring mechanisms must be established for important equipment for
maintaining their usability. The staff's PCs must be installed with anti-virus software and
updated virus codes must be verified periodically. The use of non-licensed software must be
7. The accounts, passwords and rights held by the staff must be kept and used properly. The
administrators must check and review the information regularly every year. Important
system operation information must be regularly backed up and stored at different locations.
8. The deployment of security and control mechanisms must be considered in the initial stages
of system development. If the development is outsourced, the control and information
security requirement must be emphasized. Attention must be given to the schedule of
system development to avoid delays and chaos.
9. Devise a proper information security incidents and vulnerabilities response and report
procedure in order to immediately respond to information security incidents for preventing
the expansion of damages.
10.A sustainable operation plan must be established, exercised regularly and updated
11.Daily The staff must truly implement the review and verification system to maintain the
authenticity of the information. The supervisors must supervise the implementation of
information security compliance system; strengthen awareness of information security and
related legal regulations.
12. If there is a need for vendors and visitors dealing with the Company for business to access
the Company's information, necessary reviews must be conducted. The personnel in
charge have the responsibility to safeguard the information asset of the Company.
Article 5 (Review and revision)
The policy shall be reviewed and revised by the information security management organization as necessary and shall be announced for implementation after approval.