← Chunghwa Telecom cases
Bugzilla #2008803
Audit Related
Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #4 - Missing evaluation for third parties
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
During the 2025 WebTrust audit, Chunghwa Telecom (GTLSCA) was found to lack objective evidence of adequate audit and evaluation for third-party vendors with access to CA facilities. The non-compliance period was identified from October 2024 to December 2025, during which GTLSCA failed to maintain a comprehensive evaluation framework. Although no certificates were misissued, the incident highlighted significant gaps in third-party risk management and compliance processes. Remediation actions have been implemented to enhance oversight and ensure adherence to Web PKI standards.
Chronology
- Initiate new annual cycle of system maintenance and procurement projects.
- Non-compliance identified during GTLSCA Auditing Close Meeting.
- Complete comprehensive risk assessment of third-party vendors.
- Revise internal control assessment process.
- Incident report closure.
Participants
Tsung-Min Kuo
External References
Similar Local Cases
Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #3 - Missing vulnerability scan
Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #2 - Domain validation records without the TLS BR version
Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #1 - mass certificate revocation plan
Chunghwa Telecom Audit Statements
PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #5 – Risk Management
PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #8 – Human Resources Management
Microsec: Findings in 2023 Audit
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit