Corporate Governance
Information Security Policy and Management
Home Corporate Governance Information Security Policy and Management

In Jul., 2021, the Company established "Information Security Committee" with the Vice President of President's Office serving as the Director. The Committee follows information security policies to regular establish/review various guidelines and goals for information security management and to supervise implementation of information security policies. The aim is to build our capability in ensuring security of information and cultivate employees' information security competence. In the beginning of each year, we report to the Board of Director about the implementation of information security policies of the previous year. In 2023, the information security report has been submitted on the Board of Director on Feb. 29, 2024.
The Company has obtained ISO27001 certification and has been awarded the certificate in Nov. 2021. The certification is valid until Nov. 2024, and has completed and passed this year's ISO27001 renewal assessment in Nov. 2023, and continues to strengthen information security management. In Sep. 2022 passed the "Defense Industry Development Act-listed military product manufacturer level certification", and has completed this year's "Periodic Safety Review of Military Products Manufacturers Scheduled by the Ministry of National Defense" in June 2023.
 
ISO27001 Certificate (Valid from Nov. 26, 2021 to Nov. 25, 2024)
ISO27001證書_CHISO27001證書_EN
 
 
Organizational Structure of Information Security Committee
The Vice President of President's Office serves as the Director of the Committee. The Committee members: Vice President of President's Office, Vice President Military Aircraft, Vice President Helicopter, Chief of Chairman's Office, Director of each Division of the Military Aircraft Business Division, Director Administration/ Director Quality Assurance/ Director Accounting & Financial Planning/ Director Procurement, Manager Information Management; the Director Administration serves as the Executive Secretary.
資通安全委員會組織圖_EN
Information Communication Security Management Policy
Purpose Air Asia Co., Ltd. (hereafter referred to as "the Company") aims to ensure secured and stable information work, provide reliable information and communication service, ensure confidentiality, intactness, and practicability of our information asset, and smoothly promote our services to fulfill ISO27001 international standard. Thus, the Company has established its information security policy (hereafter referred to as the policy) as the top guidelines, which is detailed as follows.
Goal (1)To ensure confidentiality of the Company's business and protect confidential information of the country and individuals.
(2)To ensure intactness and availability of information related to the Company's business, and to enhance administrative efficiency and quality.
(3)To follow the national policy, and to enhance our capability to ensure information security.
(4)To follow regulations of the nation and the Company, and to achieve the goal of keeping smooth operation of the business.
Strategy (1)Integrate relevant laws and regulations and operational requirements and evaluate the needs of information security work to establish a standard procedure that can ensure confidentiality, intactness, and availability of the Company's information assets.
(2)To establish the Company's information security organization and distribute duties so that information security work can be implemented smoothly.
(3)To follow the Regulations on Classification of Cyber Security Responsibility Levels to execute matters to be dealt with.
(4)To establish regulations on the notification and response of cyber-security incident so as to ensure proper response, control, and treatment of information security incidents.
(5)To regularly audit information security to ensure implementation of information security management measures.
Censorship The policy is approved by Director Information Security, and it shall be evaluated at least once each year, or it shall be reconsidered when a major organizational change happens (e.g. adjustment of the organization, major changes in business). Proper amendment should be made according to the result of evaluation, relevant laws, and the latest development in technology or business environment.
 
Information Security Management Measures and Plans
Information security risk management measures are as follows:
Item Specific management situation
Firewall protection 1.The firewall sets connection rules to control the connection of each connection into and out of the internal network and external network.
2.If there is a special connection requirement, it needs to be applied by CSR, and it can only be opened after the approval of the Division Director (or it can be opened on a regular basis or set a schedule for information personnel to open only at a certain period of time).
3.Monitor and analyze the number of firewall attacks every month.

Users use network control

mechanisms

 1.Those who need to access the Internet need to apply through CSR, and it will be open only after the approval of the Division Director.
2.Internet access control: in conjunction with the firewall settings, instant messaging software, web mail, cloud hard drives, and file transfer software and services cannot be used; audio and video websites such as YouTube must be approved by application before use.
Email security control 1.Outbound mail has a mail filtering/logging system to automatically perform scanning and threat protection on mail. For attachment files that may be unsafe, phishing emails are marked as spam with an automatic judgment mechanism, providing users with an additional basis for judging whether to receive or not. Emails will be scanned and protected by their own antivirus software on both the host and user sides.
2.Count the number and details of external emails sent and received, monitor abnormal sending and receiving conditions, and prevent confidential information from leaking.
Website protection mechanism The website has a firewall device to block external network attacks.
Antivirus software 1.Use multi-level anti-virus operations to reduce the chance of infection. Different versions of anti-virus systems are used for firewalls and internal network computers.
2.Instantly update the virus code of anti-virus software to reduce the risk of infection.

Internal network and wireless

network control mechanism

 1.The wireless network distinguishes the internal network and the external network, and the internal/external network is isolated by VLan.
2.The internal wireless network locks approved business laptops and tablets with MAC codes.
3.The external wireless network (open only in some areas) uses the connection key to provide the office connection needs of customer representatives and vendors in specific office areas.

Information computer room

security management and control

 1.Registration is required to enter and exit the computer room, and only when accompanied by information personnel can enter.
2.The computer room is equipped with a UPS uninterruptible power system, which can guarantee more than 30 minutes of spare time in the event of an abnormal power outage, allowing information personnel to shut down the server to protect the server system from failure due to power outages.
High availability backup mechanism The host system adopts VMWARE virtualization management, and implements a high-availability backup mechanism with a complete set of storage area systems in two computer rooms, so that each main host has high availability and can restore the system operation in the shortest time when the system fails.
Backup mechanism 1.The information system database is set up for weekly full backup and daily differential backup.
2.The files in the information system program and file server are fully backed up every day.
Operating system update For major and security updates of the operating system, set the WSUS host automatic update system to automatically send and install it to the company's computers. If not updated by any reason, will be updated by the Information Management Dept.
User account/privilege management 1.The user account must be applied for by CSR and approved by the Division Director before it can be used.
2.Divided users into the smallest units to take authority control.
3.The project management directory must be approved by the Division Director and the Project Manager before establishment. The use authority is applied through the CSR, and can be established after the approval of Project Manager.
USB disk access control 1.The general user computer defaults to prohibit the use of USB devices.
2.If the USB device required by business use, the CSR application shall be approved level by level until the President.
 
 
2023 Information Security Management Resources and Implementation Results of Various Works:

1.An annual information security review meeting was held in October .
2.Perform internal audit 2 times: a total of 8 correction orders were issued, 100% of which were improved.
3.Information Security Incident Handling Group discussion meetings were held 6 times during the year.
4.Training plan (information security professional): 4 members of information security professional have participated in professional courses related to information security, totaling 460 hours.
5.Training plan (non-information security personnel): arrange 6 personnel to participate in information security-related courses, totaling 555 hours.
6.Education and training: A total of 2 sessions were held, with a total of 1,314 participants and a total of 3,681 hours, in line with the plan.
7.The social engineering test drill is implemented twice a year:a total of 212 people, with a success rate of 94.8%. Those who failed have completed re-education training.
8.Conduct an inventory and check of information assets once a year. All scrapped information assets have completed physical destruction procedures in accordance with regulations and are cleared and transported according to waste treatment.
9.Execute the business continuity drill plan 6 times, and the deficiencies discovered during the drill were corrected.
10.Execute the backup data restore test once: Executed once each in July 2023 and October 2023.
11.Perform host computer vulnerability scanning twice: a total of 66 vulnerabilities were improved.
12.Perform host computer penetration testing 1 times: a total of 43 programs and 4 weaknesses was improved.
13.Perform a data security health check once: 5 suggestions were made, 4 of which were completed and 1 is being continuously improved.
14.The completion rate of this year's project plan is 65%, and the results are as follows:
 A.In order to strengthen information security protection and monitoring, Log Server will be purchased to facilitate the monitoring and storage of log records of each device and user.
  Result: Completed, and officially put into use in January 2023.
 B.In order to enhance personal computer security and avoid vulnerabilities related to old operating systems, the personal computer operating system is replaced.
  Results: 270 new personal computers were actually purchased to eliminate old computers that did not meet specifications; another 105 personal computers were purchased with additional memory for direct upgrade, at a. and the completion progress is about 80%, which is expected to be completed in the first quarter of 2024.
 C.In order to prevent hacker attacks, the two-factor authentication method is used to strengthen information security protection for malicious attacks, and reduce information security risks.
  Result: Completed and officially implemented in early October 2023.
 D.The MIS host computer revision and upgrade plan.
  Results: There are a total of 17 old MIS operating systems, and 1 file server has been improved so far. The remaining systems that have not been updated have installed the IDS/antivirus/patches provided by Trend Micro Deep Security system to strengthen local defense and reduce risks.
  A preliminary assessment of the progress of the MIS revision has been completed, and an order has been placed to purchase relevant software, The MIS revision and upgrade plan will continue next year.
 E.The EIP host computer is upgrade plan, buyout or access to the cloud to be evaluation.
  Result: Due to military product level certification security standards, cloud operations are not used. Currently, five suppliers have been interviewed for evaluation, and this project will continue until 2024.

 

Annual Plan for 2024
Project Plan

1.MIS system upgrade: Continuation the 2023 MIS system upgrade project, the Company will continue to carry out revision operations.
2.Portal website replacement: Continuation the 2023 EIP system upgrade plan, the upgrade is expected to be completed this year.
3.Personal computer operating system update and upgrade project: continue the replacement work planned in the previous year.
4.Network equipment replacement: In response to information security needs, old network equipment is replaced year by year to gradually strengthen internal network information security control.
5.Information security threat detection management: In response to the requirements of the ISO27001:2022 version, information security threat detection management is introduced.
6.Official document system upgrade: The official document system has been in use for nearly 10 years. During the period to strengthen information security management, the upgrade of related operating system is expected to be completed in the first quarter of this year.
7.Information asset management system: In order to strengthen the security control of information assets, it is expected to introduce an information asset management system to effectively control the security management of personal computers that account for most nodes of information security.
8.ISO27001 revised certification: Since ISO27001has released a new version of the specification, it has been revised from the original "ISO27001:2013" to "ISO27001:2022". It is expected that the new version of the specification will be adopted for certification in 2024, The Company will revise the relevant manuals and add necessary measures to comply with the new version of information security.

 

Routine Plan

1.Annual educational training.
2.Annual social engineering drill.
3.Host computer vulnerability scanning.
4.Account review.
5.Operational continuous drill.
6.Data backup and storage.
7.Information and communication security review meeting.
8.Asset inventory.