Grasping Business Dynamics, Developing Audit Transformation
TDCC has been advancing towards digital services in recent years. As the pandemic passed, businesses focused more on the importance of maintaining market services under extreme conditions, which is called “Operational/Business Resilience.” In developing digital services, TDCC’s information security audit has faced various challenges. The Internal Auditing Department keeps contemplating how to design, plan, and execute audits to ensure uninterrupted digital services. Following the Financial Supervisory Commission’s “Financial Information Security Action Plan 2.0,” which demands effective evaluation of information security monitoring and protection, we have considered international information security trends from research institutes and recognized the ongoing prevalence of global cyberattacks, especially in modern warfare. In addition to traditional physical combats involving land, sea, and air, cyber warfare has also been employed as a method of attack. For example, before the war in Ukraine, frequent cyberattacks targeted critical infrastructure, including DDoS attacks, phishing emails spreading malware, and misinformation campaigns. As the sole post-trade infrastructure of Taiwan’s capital market, we especially focus on defending against malicious individuals’ cyberattacks on our company. From an audit perspective, it means how we verify the reliability of our information security equipment and related mechanisms for effective protection and blocking.
In October 2023, TDCC delegation attended the International Internal Audit Annual Conference in Amsterdam, the Netherlands. Three lines of defense in information security risk management were discussed at the conference: information technology units, information security units, and audit units, each of which needs to perform their roles to the fullest. Besides advancing audit skills and techniques, auditors should also strengthen their competencies in information technology and information security to effectively demonstrate the value of the third line of defense. The Internal Auditing Department has adhered to this spirit for many years, continuously exploring potential risks behind various business operations and enhancing the practical application of digital audit and verification tools.
Photos 1 and 2: Matrials from 2023 International Internal Audit Annual Conference (Source: International Internal Auditors Association IIA)
Photos 3 and 4: 2023 International Internal Audit Annual Conference photos (Source: Internal Auditing Department)
Red Teaming
The term Red Teaming originally appeared in the 1960s. It was used in the military to describe simulated attack operations. It was later applied in the information security field, referring to simulated intrusion attacks on organizations. It is the most straightforward method to examine the overall effectiveness of corporate information security protection. We conducted Red Teaming in 2018 and 2019 consecutively. After these two eye-opening drills, the management gained a different perspective on information security protection. The realistic drills brought about extremely concrete effects; they not only discovered vulnerabilities in website border defense but also enlightened the IT department on real hacker techniques. Additionally, we were more aware of the importance of supplier management. Thereafter, we intensified our company’s information security advocacy to raise all personnel’s awareness of information security.
This year (2023), we were invited to Google’s annual event, “Google Cloud Summit Taipei,” where we shared our experiences in Red Teaming:
*The less noticeable a system seems, the less its information security protection should be ignored.
Observing the actual behavior of white-hat hackers, we found that they attempt to infiltrate through non-primary systems or peripheral devices to attack core systems through lateral moves. Therefore, the protection of peripheral devices’ information security should be comprehensively strengthened and continuously monitored.
Photos 5 and 6 : 2023 Google Cloud Summit Taipei conference photos (Source: Google)
- Suppliers: Helpful Assistants or Hindrances?
During the drill, the white-hat hacker team found security vulnerabilities in the development environment of our information system subcontractors, which could leak our internal URLs, test environment accounts and passwords. This reminded us of the importance of supplier management. In recent years, our control of supplier risks, besides strict qualification reviews, has included regular information security supplier audits. Any behavior violating our information security norms results in corresponding contractual fines; in severe cases, suppliers are added to a blacklist for non-cooperation. These measures ensure that suppliers strictly implement information security management measures.
- People: The Greatest Breach in Information Security
After the drill, we realized that high-ranking managers with high access are often primary targets for hackers. With strong support from company executives, all senior managers and colleagues are required to participate in various information security scenario drills each year to enhance everyone’s adaptability to information security incidents.
The Google Cloud Summit concluded on October 18, 2023. Google collected 358 valid questionnaires on the keynote speeches, and our experience-sharing session received a high satisfaction rating of 4.37 / 5.0. Google also expressed gratitude in a letter, acknowledging that our discussion effectively inspired more enterprises and industries to initiate information security governance and transformation layouts to strengthen operational resilience. This also conveyed our company’s forward-looking arrangement in digital transformation and technology adoption.
Photos 7 and 8: 2023 Google Cloud Summit Taipei conference photos (Source: Google)
Similar Red Teaming
In addition to conducting Red Teaming, information security testing, supplier risk monitoring platforms, digital forensics and evidence perpetuation, and information security incident response drills, we have been seeking advanced audit tools and solutions to make information security audits more efficient, diversified, and comprehensive.
The solutions for hacker attacks and defense drills are constantly evolving. Despite being more realistic, traditional Red Teaming is relatively time-consuming and labor-intensive. This often leaves IT units overwhelmed. This year, we implemented “Simulated Red Teaming,” using automated tools to simulate attacks from the external to internal. This provides our company with a more timely way to know the weaknesses in our information security protection to verify the effectiveness of the security protection mechanisms and achieve the goal of “encouraging efficacy evaluation of information security monitoring and protection” from the Financial Information Security Action Plan 2.0. The implementation and details of this project will be shared with all personnel after its completion.
Conclusion
As our company’s digital services continue to expand, we will closely monitor various emerging technologies and the potential accompanying threats and vulnerabilities. Through continuous learning, knowledge enrichment, and improvement of audit techniques, we can effectively hunt for information security risks and issues, promptly propose forward-looking audit recommendations, and comprehensively reduce our company's operational risks in developing digital services.
