Corporate Governance
Information Security Policy and Managemen
Home Corporate Governance Information Security Policy and Managemen

In Jul., 2021, the Company established "Information Security Committee" with the Vice President Administration serving as the Director. The Committee follows information security policies to regular establish/review various guidelines and goals for information security management and to supervise implementation of information security policies. The aim is to build our capability in ensuring security of information and cultivate employees' information security competence. In the beginning of each year, we report to the Board of Director about the implementation of information security policies of the previous year. In 2021, the information security report has been submitted on the Board of Director on Mar. 22, 2022.
In 2021, to strengthen our information security management, the Company follows the government's "Defense Industry Development Act" to introduce ISO27001 (Information Security Management System) and obtained the certificate which is valid until Nov. 25, 2024. The information security policies, ISO27001 certificate, information security management structure, and managerial measures are as follows:
Information Security Policies
Purpose Air Asia Co., Ltd. (hereafter referred to as "the Company") aims to ensure secured and stable information work, provide reliable information and communication service, ensure confidentiality, intactness, and practicability of our information asset, and smoothly promote our services to fulfill ISO27001 international standard. Thus, the Company has established its information security policy (hereafter referred to as the policy) as the top guidelines, which is detailed as follows.
Goal (1)To ensure confidentiality of the Company's business and protect confidential information of the country and individuals.
(2)To ensure intactness and availability of information related to the Company's business, and to enhance administrative efficiency and quality.
(3)To follow the national policy, and to enhance our capability to ensure information security.
(4)To follow regulations of the nation and the Company, and to achieve the goal of keeping smooth operation of the business.
Strategy (1)To consider relevant laws and requirements for operation and evaluate the needs of information security work to establish a standard procedure that can ensure confidentiality, intactness, and availability of information assets.
(2)To establish the Company's information security organization and distribute duties so that information security work can be implemented smoothly.
(3)To follow the Regulations on Classification of Cyber Security Responsibility Levels to execute matters to be dealt with.
(4)To establish regulations on the notification and response of cyber-security incident so as to ensure proper response, control, and treatment of information security incidents.
(5)To regularly audit information security to ensure implementation of information security management measures.
Censorship The policy is approved by Director Information Security, and it shall be evaluated at least once each year, or it shall be reconsidered when a major organizational change happens (e.g. adjustment of the organization, major changes in business). Proper amendment should be made according to the result of evaluation, relevant laws, and the latest development in technology or business environment.

 
 
ISO27001 Certificate (Valid from Nov. 26, 2021 to Nov. 25, 2024)
ISO27001證書_CHISO27001證書_EN
 
 
Information Security Risk Management Structure & Operation
Structure of Information Security Risk Management

1.The Company has established Information Security Committee. It follows information security policies to regularly establish/review various principles and guidelines for information security.

2.Information Communication Security Committee Organization

(1)Information Security Committee: the Vice President Administration serves as the Director of the Committee. Members are divided into several groups. The Vice Presidents/ Division Directors/ Office Chiefs are members of the units that are mainly in charge of constructing, promoting, supervising, and managing information security work. The Committee members: Vice President Administration, Vice President Military Aircraft, Vice President Helicopter, Chief of Chairman's Office, Director of each Division of the Military Aircraft Business Division, Director Administration/ Director Quality Assurance/ Director Accounting & Financial Planning/ Director Procurement, Manager Information Management; the Director Administration serves as the Executive Secretary.

(2)Information Security Promotion Group: the Director Administration serves as the team leader. The team is composed of sections of Information Management Dep., Personnel Dep., Safety & Security Dep., General Affairs Dep., and Air Asia Technical Training; the team is mainly responsible for promoting information security (to establish information security plan, report and respond to information security incidents, and to organize relevant education training course).

(3)Information Security Incident Handling Group: the Manager Information Management serves as the group leader. The members include information security professionals and information personnel; their main duty is to do technical work related to information security (inspection of security, examination of information security system, management of detective system for threat of information security, and protection of information security).


(4)Information Security Audit Group: the Chief of Chairman's Office serves as the group leader. The group members are personnel who completed ISO27001 active audit training course and the supportive audit personnel (from Quality Assurance Division). The main duty is to audit the information security management system.

 資通安全委員會組織圖_EN

Operation of Information Security Risk Management

1.The Company strengthens its information security management and follows "Defense Industry Development Act" to introduce ISO27001 (Information Security Management System) and obtained its certificate.

2.The Company sent representative to participate in "ISO27001 active auditor certificate" professional training course and obtained the certificate.

3.The Company adopts information security measures according to "ISO27001 (Information Security Management System)", which includes:

(1)To compile "Operation Manuals for Information Security Management System" as the guidelines for relevant measures and ensure practice of relevant principles.

(2)To establish various management guidelines: guidelines for managing personal and public computers, guidelines for managing information assets, guidelines for managing electronic mailbox, guidelines for sustaining information business, guidelines for ensuring physical security, plans for emergency response, guidelines for auditing information security, plans for system recovery, guidelines for managing access control, guidelines for system development and maintenance, guidelines for outsourcing information security work, guidelines for managing operation of computer facilities, guidelines for managing information security risks, etc.

(3)Risk control and implementation (introduction and practice of information technology): to introduce/ install firewall system to effectively block various types of attacks from different WAN. To follow Microsoft’s guidelines for complexity of AD username and password, to install business antivirus software, mail filter/ detect system, storage system back-up mechanism, and information security incident report mechanism.

(4)To review and make improvement on risk incidents (review on execution of information security measures). To promote and enhance employees’ competence and practice of information security protection, and to practice in periodical inspection on weak points, and to study on how to avoid mistakes.
 
Information Security Risk Management Practices

1.To establish information system back up mechanism.

2.To back up data of the host computer and data bank every day; to check computer facility and keep a record daily.

3.To set up separate firewall systems for internal and external networks.

4.To conduct two internal information security audits each year.

5.To convene one management censorship meeting each year.

6.To conduct at least one operation continuity drill each year.

7.To conduct at least one system weak point scan and penetration inspection each year.

8.To arrange on job training course of information security for employees every year.

9.To conduct a periodical social-engineering test on employees.

10.To conduct a periodical seminars on information security.
 
Practical Information Security Management Plans

1.To manage and censor accounts and access rights

(1)The applications or changes for accounts/ access rights should be approved and censored by administrative sectors, and there should be a periodical censorship on this.

(2)Employees should follow Microsoft AD domain complexity principles to set up their passwords, and the passwords should be changed every 90 days. It is obligatory to enforce password history and determine the minimal length of a set of password.

2.Access control

(1)To regulate uploading/ downloading the date/ files on the internet (application/ censorship/ review is requested).

(2)To limit use of mobile devices (i.e. USB, CD-ROM, CD burner) (application/ censorship/ review is requested).

(3)To limit access to applications so as to control the input/ output of data.

 3.Multiple layer defense system

(1)To install hard-ware firewalls. Packet filtering can effectively block external attackers and penetration; it can also record the initiator and behavior of the attackers, and analysis of such data can help detected future invasive attempts.

(2)To install mail recording function in the host computer; the system can filter mails and scan viruses.

(3)Each of the computers in the Company is installed with terminal protective software (for anti-virus and anti-hacker functions).

(4)To conduct weak spot scan at least once each year.

4.Reliability

(1)A virtual machine is adopted as the host computer, which helps reduce that shot-down time of the computer, and the system can automatically execute data-backup; it’s an active risk avoidance mechanism.

(2)To conduct data backup every day, and to organize "Information business continuity drills" to ensure stable operation of the system.

 

To invest in resources of information security management

1.To install interne edge firewall, Trend Micro Apex One endpoint protection software, and data backup system.

In 2021, we invested NTD 5 million in maintenance and improvement of information security facilities.

2.To organize on job training for information security personnel, and to conduct drills of response to information security incidents.

(1)Training plan (for designated personnel): 4 representatives participated in ISO27001:2013 training course for leading auditors and obtained the certificate.

(2)Educational training: a total of 6 seminars were organized, with 1,318 person of participation, which equals to 2,508 hours.

(3)There were three drills for social engineering in the year. A total of 360 people were involved, and the passing rate was 99.9%.

(4)The information security censorship meeting is convened in Oct. every year.

3.To sign an information security consulting contract with the service suppliers, and conduct weak spot scan, penetration test, and information security check annually.

The account access right has been censored twice in 2021, and a total of 1,074 accounts were reviewed.