Corporate Governance
Information Security Policy and Management
Home Corporate Governance Information Security Policy and Management

In Jul., 2021, the Company established "Information Security Committee" with the Vice President serving as the Director. The Committee follows information security policies to regular establish/review various guidelines and goals for information security management and to supervise implementation of information security policies. The aim is to build our capability in ensuring security of information and cultivate employees' information security competence. In the beginning of each year, we report to the Board of Director about the implementation of information security policies of the previous year. In 2025, the information security report has been submitted on the Board of Directors on Mar. 4, 2026.
The Company has obtained ISO27001:2022 revision certification in Oct. 2024, which will be valid until Nov. 2027. We successfully completed the first surveillance audit in Oct. 2025 and continue to strengthen our information and communication security management. Complete the annual review of "Periodic Safety Review of Military Products Manufacturers Scheduled by the Ministry of National Defense" in Nov. 2025.

 
ISO27001 Certificate (Valid from Nov. 26, 2021 to Nov. 25, 2027)
ISO27001證書_CHISO27001證書_EN
 
 
Organizational Structure of Information Security Committee
The Chief Information Security Officer (CISO) is appointed by the Board of Directors from among executives at the level of Vice President or higher. The CISO serves as the chairperson, and the Company’s Vice Presidents and all Tier 1 unit supervisors are mandatory members of this committee.
This body serves as the highest decision-making unit for the Company's information security management system, primarily responsible for establishing, promoting, supervising, and managing information security initiatives. The Director of the Administration Division acts as the Executive Secretary
資通安全委員會組織圖_EN
Information Communication Security Management Policy
Purpose Air Asia Co., Ltd. (hereafter referred to as "the Company") aims to ensure secured and stable information work, provide reliable information and communication service, ensure confidentiality, intactness, and practicability of our information asset, and smoothly promote our services to fulfill ISO27001 international standard. Thus, the Company has established its information security policy (hereafter referred to as the policy) as the top guidelines, which is detailed as follows.
Basic Principles (1)Ensure the confidentiality of the Company's relevant information to prevent the leakage of national secrets, business secrets, and personal data.
(2)Ensure the integrity and availability of the Company's information assets to enhance corporate performance.
(3)Coordinate with information security intelligence analysis and available resources to enhance information security protection capabilities.
(4)Ensure that information assets can be quickly restored after an information security incident, minimizing business interruption and achieving business continuity objectives.
(5)Comply with relevant national laws, regulations, industry standards, and contractual obligations to ensure all applicable norms and requirements are met.
(6)Enhance relevant personnel's awareness and focus on information security, cultivating good information security cognition and habits.
(7)Continuously improve the Information Security Management System (ISMS) to ensure its ongoing effective operation at all levels.
Policy Strengthen defense with rigorous testing.
Enhance awareness with professional training.
Manage risks through audits and reviews.
Improve continuously to stop ransomware.
Objectives (1)Essential Cyber Defense.
(Set protection coverage rates for information assets, including endpoints and firewalls).
(2)Rigorous Testing.
(Set the remediation rate for medium and high-risk vulnerabilities).
(3)Thorough Social Engineering Drills.
(Set the click-through rate for annual social engineering testing reports).
(4)High-Standard Professional Training.
(Set the required training hours for dedicated information security personnel).
(5)Proper Risk Assessment & Mitigation.
(Set the annual availability rate for critical information systems).
(6)Internal Audit and Management Review.
(Set the number of major and minor non-conformities found in annual internal audits).
(7)Excellence through Continuous Improvement.
(Set the closure rate for annual Corrective Action Requests (CAR)).
(8)Robust Protection Against Ransomware.
(Set the success rate of backup and recovery tests).
Censorship The policy is approved by Director Information Security, and it shall be evaluated at least once each year, or it shall be reconsidered when a major organizational change happens (e.g. adjustment of the organization, major changes in business). Proper amendment should be made according to the result of evaluation, relevant laws, and the latest development in technology or business environment.
 
Information Security Management Measures and Plans
Information security risk management measures are as follows:
Item Specific management situation
Firewall protection 1.Firewall connection rules are configured to manage all inbound and outbound connections between the internal and external networks.
2.Special connection requirements must be submitted via a CSR. Access privileges shall be based on the principle of least privilege. The connection can only be opened after approval from the Tier 1 unit supervisor and confirmation by the Information & Cyber Security Dep. that the request is sound.
3.Monitor and analyze the number of firewall attacks every month.

Users use network control

mechanisms

 1.Personnel requiring internet access must submit an application using the "Information Security Authorization Request Form" via a CSR. Access shall only be granted upon approval by the Tier 1 unit supervisor.
2.Internet access control: in conjunction with the firewall settings, instant messaging software, web mail, cloud hard drives, and file transfer software and services cannot be used; audio and video websites such as YouTube must be approved by application before use.
Email security control 1.Outbound mail has a mail filtering/logging system to automatically perform scanning and threat protection on mail. For attachment files that may be unsafe, phishing emails are marked as spam with an automatic judgment mechanism, providing users with an additional basis for judging whether to receive or not. Emails will be scanned and protected by their own antivirus software on both the host and user sides.
2.Count the number and details of external emails sent and received, monitor abnormal sending and receiving conditions, and prevent confidential information from leaking.
Website protection mechanism The website has a firewall device to block external network attacks.
Antivirus software All servers have been equipped with CrowdStrike endpoint protection software. Built on a cloud-native and AI-driven architecture, it integrates next-generation antivirus (NGAV), endpoint detection and response (EDR), behavioral analysis, and threat intelligence. This allows for real-time detection and response to malicious activities, effectively enhancing endpoint security.

Internal network and wireless

network control mechanism

 1.The wireless network distinguishes the internal network and the external network, and the internal/external network is isolated by VLan.
2.The internal wireless network locks approved business laptops and tablets with MAC codes.
3.The external wireless network (open only in some areas) uses the connection key to provide the office connection needs of customer representatives and vendors in specific office areas.

Information computer room

security management and control

 1.Registration is required to enter and exit the computer room, and only when accompanied by information security personnel can enter.
2.The computer room is equipped with a UPS uninterruptible power system, which can guarantee more than 30 minutes of spare time in the event of an abnormal power outage, allowing information security personnel to shut down the server to protect the server system from failure due to power outages.
High availability backup mechanism The host systems are managed using VMWARE virtualization. A High Availability (HA) failover mechanism is implemented across two data centers using paired storage systems, ensuring that system operations can be restored in the shortest possible time in the event of a failure.
Backup mechanism 1.The information system database is set up for weekly full backup and daily differential backup.
2.The files in the information system program and file server are fully backed up every day.
Operating system update For major and security updates of the operating system, set the WSUS host automatic update system to automatically send and install it to the Company's computers. For those not updated for any reason, the Information & Cyber Security Dep. will provide assistance in performing the update.
User account/privilege management 1.User accounts must be requested via a CSR and can only be created and used after final approval by the Tier 1 unit supervisor.
2.Users are managed by grouping based on the Company's organizational structure, and corresponding access privileges are assigned according to their job responsibilities.
3.Project management directories can only be established upon final approval by both the Tier 1 unit supervisor and the Project Manager. Access privileges must be requested via a CSR and granted after approval by the Project Manager.
USB disk access control 1.General user computers are configured via GPO (Group Policy Object) to prohibit the use of USB devices.
2.If the USB device required by business use, the CSR application shall be approved level by level until the President.
 
 
2025 Information Security Management Resources and Implementation Results of Various Works:

1.An annual information security review meeting was held in October.
2.Perform internal audit 2 times: 100% of the 10 Corrective Action Requests (CARs) have been successfully resolved and completed.
3.A total of 4 routine information and communication security meetings were held during the year.
4.Training plan (information security professional): 4 members of information security professional have participated in professional courses related to information security, totaling 159 hours.
5.Training plan (non-information security personnel): arrange 6 personnel to participate in information security-related courses, totaling 176 hours.
6.General Information and Communication Security Awareness Training: A total of 2 sessions were held (including online courses), with 1,172 participants and a total of 3,516 training hours, meeting the established plan objectives.
7.The social engineering test drills are conducted 3 times a year: a total of 1,295 participants were recorded, with 309 individuals failing the test, resulting in a click-through rate of 23%. All personnel who failed have successfully completed remedial training.
8.Conduct an inventory and check of information assets once a year. All scrapped information assets have completed physical destruction procedures in accordance with regulations and are cleared and transported according to waste treatment.
9.The operation continuity drill plan was executed 7 times, and the deficiencies discovered during the drill were corrected
10.Executed the backup data restore test once: the execution is in accordance with the plan.
11.Perform host computer vulnerability scanning twice: a total of 37 risks were improved.
12.Perform host computer penetration testing 1 times: After excluding false positive items, no medium-risk or high-risk vulnerabilities remained.
13.Perform a data security health check once: a total of 9 recommendations were proposed, and the relevant improvement measures have been implemented accordingly.
14.Conducted 7 account privilege reviews, covering both standard and privileged accounts across all systems. A total of 151 accounts were deactivated, and 41 accounts that had not logged in for over a year were closed.
15.The implementation status of project plans for this year is as follows:
 A. MIS System Upgrade: This is a continuation of the 2023 MIS system upgrade project. Due to the prioritized efforts in accelerating the development of portal website workflow programs, the upgrade has been temporarily suspended.
  Result: A total of 17 legacy operating systems remain in the MIS environment. While one file server has been successfully upgraded, the others cannot be directly upgraded due to their legacy program architecture. As a mitigation strategy, standalone CrowdStrike endpoint protection has been installed to reinforce local defense and minimize risks.Regarding the MIS version upgrade, the rewriting of the connection architecture and the testing/correction of program templates have been completed. Following the prioritized completion of the portal website workflow programs, the upgrade and migration process will continue.
 B. Portal Website Replacement: A continuation of the 2023 EIP (Enterprise Information Portal) system upgrade project.
  Result: New EIP system has been procured. We are currently accelerating the development of portal website workflow programs and system implementation, with a scheduled launch by the end of the first quarter of 2026.
 C. PC Replacement Project: Replacement of legacy computers.
  Result: Completed in accordance with the plan.
 D. Network Equipment Replacement: In response to information security needs, old network equipment is replaced year by year to gradually strengthen internal network information security control.
  Result: Over 40 units of legacy or Chinese-made network equipment have been replaced; the replacement of the remaining units is currently in progress.
 E. Procurement of New Storage Equipment: To address system upgrades and the increasing volume of data, additional storage equipment has been procured.
  Result: The additional procurement has been completed, meeting the expected objectives.
 F. Additional Procurement of Endpoint Protection Software: In response to the increasing intensity of cybersecurity threats, additional endpoint protection software has been procured to strengthen server and host defense.
  Result: A total of 800 additional sets of endpoint protection software have been procured this year, meeting the project objectives.
 G.Procurement of File Encryption System: To maintain the security and confidentiality of critical sensitive data.
  Result: This year, we have conducted functional testing and technical evaluations with relevant vendors. However, as compliance with FIPS standards under CMMC regulations is required, we are still in the process of identifying a compliant vendor. 

 

Annual Plan for 2026
Project Plan

1.MIS System Upgrade: A continuation of the 2023 MIS system upgrade project; version update operations will proceed as planned.
2.Portal Website Replacement: A continuation of the 2023 EIP system upgrade project. We are currently accelerating the development of portal workflow programs and system implementation, with a scheduled go-live by the end of Q1 2026.
3.PC Refresh Program: Continued replacement of legacy and outdated computers.
4.Procurement of File Encryption System: To safeguard the security and confidentiality of critical sensitive files.
5.Office Software Upgrade: To comply with the security requirements for information processing environments and supporting systems under ISO/IEC27001, maintaining the effectiveness of system updates and security controls.
6.CMMC Level 1 Certification Planning: In response to future business opportunities in defense and related industries, we plan to obtain CMMC Level 1 certification in 2026 to enhance the Company's competitiveness in participating in relevant projects.
7.Energy Storage System (ESS) Implementation Evaluation: To improve the information system's emergency response capabilities to contingencies (such as power outages) and reduce the risk of business interruption, we are evaluating the implementation of energy storage systems. This aims to strengthen the business continuity of critical IT equipment and overall operational resilience.

 

Routine Plan

1.Annual educational training.
2.Annual social engineering drill.
3.Host computer vulnerability scanning.
4.Account review.
5.Operational continuous drill.
6.Data backup and storage.
7.Information and communication security review meeting.
8.Asset inventory.