Corporate Governance
Information Security Policy and Management
Home Corporate Governance Information Security Policy and Management

In Jul., 2021, the Company established "Information Security Committee" with the Vice President serving as the Director. The Committee follows information security policies to regular establish/review various guidelines and goals for information security management and to supervise implementation of information security policies. The aim is to build our capability in ensuring security of information and cultivate employees' information security competence. In the beginning of each year, we report to the Board of Director about the implementation of information security policies of the previous year. In 2024, the information security report has been submitted on the Board of Director on Feb. 26, 2025.
The Company has obtained ISO27001:2022 revision certification in Oct. 2024, which will be valid until Nov. 2027, and will continue to strengthen information security management. Complete the annual review of the "National Chung-Shan Institute of Science & Technology's Manufacturer Security Audit" in Jul. 2024. And complete the annual review of "Periodic Safety Review of Military Products Manufacturers Scheduled by the Ministry of National Defense" in Dec. 2023.

 
ISO27001 Certificate (Valid from Nov. 26, 2021 to Nov. 25, 2027)
ISO27001證書_CHISO27001證書_EN
 
 
Organizational Structure of Information Security Committee
The Vice President serves as the Director of the Committee. The Committee members: Vice President Military Aircraft, Vice President Helicopter, Chief of Chairman's Office, Director of each Division of the Military Aircraft Business Division, Director Administration/ Director Quality Assurance/ Director Accounting & Financial Planning/ Director Procurement, Manager Information Management; the Director Administration serves as the Executive Secretary.
資通安全委員會組織圖_EN
Information Communication Security Management Policy
Purpose Air Asia Co., Ltd. (hereafter referred to as "the Company") aims to ensure secured and stable information work, provide reliable information and communication service, ensure confidentiality, intactness, and practicability of our information asset, and smoothly promote our services to fulfill ISO27001 international standard. Thus, the Company has established its information security policy (hereafter referred to as the policy) as the top guidelines, which is detailed as follows.
Goal (1)To ensure confidentiality of the Company's business and protect confidential information of the country and individuals.
(2)To ensure intactness and availability of information related to the Company's business, and to enhance administrative efficiency and quality.
(3)To follow the national policy, and to enhance our capability to ensure information security.
(4)To follow regulations of the nation and the Company, and to achieve the goal of keeping smooth operation of the business.
Strategy (1)Integrate relevant laws and regulations and operational requirements and evaluate the needs of information security work to establish a standard procedure that can ensure confidentiality, intactness, and availability of the Company's information assets.
(2)To establish the Company's information security organization and distribute duties so that information security work can be implemented smoothly.
(3)To follow the Regulations on Classification of Cyber Security Responsibility Levels to execute matters to be dealt with.
(4)To establish regulations on the notification and response of cyber-security incident so as to ensure proper response, control, and treatment of information security incidents.
(5)To regularly audit information security to ensure implementation of information security management measures.
Censorship The policy is approved by Director Information Security, and it shall be evaluated at least once each year, or it shall be reconsidered when a major organizational change happens (e.g. adjustment of the organization, major changes in business). Proper amendment should be made according to the result of evaluation, relevant laws, and the latest development in technology or business environment.
 
Information Security Management Measures and Plans
Information security risk management measures are as follows:
Item Specific management situation
Firewall protection 1.The firewall sets connection rules to control the connection of each connection into and out of the internal network and external network.
2.If there is a special connection requirement, it needs to be applied by CSR, and it can only be opened after the approval of the Division Director (or it can be opened on a regular basis or set a schedule for information personnel to open only at a certain period of time).
3.Monitor and analyze the number of firewall attacks every month.

Users use network control

mechanisms

 1.Those who need to access the Internet need to apply through CSR, and it will be open only after the approval of the Division Director.
2.Internet access control: in conjunction with the firewall settings, instant messaging software, web mail, cloud hard drives, and file transfer software and services cannot be used; audio and video websites such as YouTube must be approved by application before use.
Email security control 1.Outbound mail has a mail filtering/logging system to automatically perform scanning and threat protection on mail. For attachment files that may be unsafe, phishing emails are marked as spam with an automatic judgment mechanism, providing users with an additional basis for judging whether to receive or not. Emails will be scanned and protected by their own antivirus software on both the host and user sides.
2.Count the number and details of external emails sent and received, monitor abnormal sending and receiving conditions, and prevent confidential information from leaking.
Website protection mechanism The website has a firewall device to block external network attacks.
Antivirus software 1.Use multi-level anti-virus operations to reduce the chance of infection. Different versions of anti-virus systems are used for firewalls and internal network computers.
2.Instantly update the virus code of anti-virus software to reduce the risk of infection.

Internal network and wireless

network control mechanism

 1.The wireless network distinguishes the internal network and the external network, and the internal/external network is isolated by VLan.
2.The internal wireless network locks approved business laptops and tablets with MAC codes.
3.The external wireless network (open only in some areas) uses the connection key to provide the office connection needs of customer representatives and vendors in specific office areas.

Information computer room

security management and control

 1.Registration is required to enter and exit the computer room, and only when accompanied by information personnel can enter.
2.The computer room is equipped with a UPS uninterruptible power system, which can guarantee more than 30 minutes of spare time in the event of an abnormal power outage, allowing information personnel to shut down the server to protect the server system from failure due to power outages.
High availability backup mechanism The host system adopts VMWARE virtualization management, and implements a high-availability backup mechanism with a complete set of storage area systems in two computer rooms, so that each main host has high availability and can restore the system operation in the shortest time when the system fails.
Backup mechanism 1.The information system database is set up for weekly full backup and daily differential backup.
2.The files in the information system program and file server are fully backed up every day.
Operating system update For major and security updates of the operating system, set the WSUS host automatic update system to automatically send and install it to the company's computers. If not updated by any reason, will be updated by the Information Management Dept.
User account/privilege management 1.The user account must be applied for by CSR and approved by the Division Director before it can be used.
2.Divided users into the smallest units to take authority control.
3.The project management directory must be approved by the Division Director and the Project Manager before establishment. The use authority is applied through the CSR, and can be established after the approval of Project Manager.
USB disk access control 1.The general user computer defaults to prohibit the use of USB devices.
2.If the USB device required by business use, the CSR application shall be approved level by level until the President.
 
 
2024 Information Security Management Resources and Implementation Results of Various Works:

1.An annual information security review meeting was held in October.
2.Perform internal audit 2 times: a total of 8 correction orders were issued, 100% of which were improved.
3.The Information Security Incident Handling Group discussion meetings were held 6 times and 1 regular information security meeting during the year.
4.Training plan (information security professional): 4 members of information security professional have participated in professional courses related to information security, totaling 159 hours.
5.Training plan (non-information security personnel): arrange 6 personnel to participate in information security-related courses, totaling 176 hours.
6.Education and training: A total of 2 sessions were held, with a total of 1,113 participants and a total of 3,339 hours, in line with the plan.
7.The social engineering test drills are conducted 3 times a year: a total of 340 people, with a success rate of 89.7%. Those who failed have completed re-education training.
8.Conduct an inventory and check of information assets once a year. All scrapped information assets have completed physical destruction procedures in accordance with regulations and are cleared and transported according to waste treatment.
9.The operation continuity drill plan was executed 7 times, and the deficiencies discovered during the drill were corrected
10.Executed the backup data restore test once: It was executed in Apr. and was in line with the plan.
11.Perform host computer vulnerability scanning twice: a total of 37 risks were improved.
12.Perform host computer penetration testing 1 times: a total of 4 projects were improved.
13.Perform a data security health check once: 9 suggestions were made, 5 of which were completed and 4 is being continuously improved.
14.The completion rate of this year's project plan is 75%, and the results are as follows:
 A.MIS system upgrade: Continuation the 2023 MIS system upgrade project, the Company will continue to carry out revision operations.
  Result:There are a total of 17 old operating systems in MIS, except for one file server which has been improved. The rest use IDS/antivirus/patches provided by Trend Micro Deep Security System to strengthen local defense and reduce risks.The MIS revision progress has completed the rewriting of the connection architecture program, and the rewriting of the program template is undergoing testing and correction, and the revision and upgrade plan is continuing.
 B.Portal website replacement: Continuation the 2023 EIP system upgrade plan, the upgrade is expected to be completed in 2025.
  Results: A new EIP system has been purchased and is currently undergoing installation testing and system introduction. It is expected to be launched in the second quarter of 2025.
 C.Personal computer operating system update and upgrade project: continue the replacement work planned in the previous year.
  Result: Completed in the first season.
 D.Network equipment replacement: In response to information security needs, old network equipment is replaced year by year to gradually strengthen internal network information security control.
  Results: The order was placed in Dec. and is expected to arrive in the first quarter of 2025 based on manufacturer order conditions.
 E.Information security threat detection management: In response to the requirements of the ISO27001:2022 version, information security threat detection management is introduced.
  Results: In Oct., the Company signed a one-year contract with CHT Security Co., Ltd. for information and communications security threat detection and management SOC services. Enhance the Company's information security threat detection capabilities.
 F.Official document system upgrade: The official document system has been in use for nearly 10 years. During the period to strengthen information security management, the upgrade of related operating system is expected to be completed in the first quarter of this year.
  Result: The upgrade and revision work was completed in Jan. to enhance the security of the system.
 G.Information asset management system: In order to strengthen the security control of information assets, it is expected to introduce an information asset management system to effectively control the security management of personal computers that account for most nodes of information security.
  Results: A subscription-based Shock Wall system was signed in Nov. to control most information nodes and perform security management.
 H.ISO27001 revised certification: Since ISO27001 has released a new version of the specification, it has been revised from the original "ISO27001:2013" to "ISO27001:2022". It is expected that the new version of the specification will be adopted for certification in 2024. The Company will revise the relevant manuals and add necessary measures to comply with the new version of information security.
  Result: The Company has passed the ISO27001:2022 revision certification in Oct. The certification is valid until Nov. 2027.

 

Annual Plan for 2025
Project Plan

1.MIS system upgrade: Continuation the 2023 MIS system upgrade project, the Company will continue to carry out revision operations.
2.Portal website replacement: Continuation the 2023 EIP system upgrade plan, the system has been purchased and the new system construction is currently being carried out, and it is expected to be launched in the second quarter.
3.Personal computer replacement project: The Company has nearly 900 personal computers and laptops, and plans to replace them annually within 7 years. It is expected that 150 old computers will be replaced annually.
4.Network equipment replacement: In response to information security needs, the Company replaces old network equipment year by year to gradually strengthen internal network information security management and control. The Chief Information Security Officer requested to accelerate the replacement. It is expected that 50 old network devices will be eliminated annually.
5.Purchase of new storage equipment:Purchase of additional storage equipment in response to system revisions and increasing amounts of data.
6.Purchase additional endpoint protection software: In view of the increasing intensity of information security threats, purchase additional endpoint protection software to strengthen host protection.
7.Purchase of file encryption system: A file encryption system is required to maintain the security of important confidential files.

 

Routine Plan

1.Annual educational training.
2.Annual social engineering drill.
3.Host computer vulnerability scanning.
4.Account review.
5.Operational continuous drill.
6.Data backup and storage.
7.Information and communication security review meeting.
8.Asset inventory.