Annual Report 2019

Information Security & Privacy Technological and digital solutions are an important element for us to drive sustainable business growth. However, fragmented cyberspace threatens the full potential of next-generation technologies and we have become particularly vulnerable to various forms of threats. Thus, proper precautionary action must be taken into consideration. The security of our information and intellectual property are managed by ensuring that relevant policies, guidelines and technology are up to date to effectively detect, assess, monitor and diminish cyber threats as well as ensuring our employees are aware and well-equipped to deal with the matter through relevant training programmes. There were no data privacy and information security breaches reported for the last three (3) years. Information Technology Security Policy Manual This policy serves to create an environment that will help protect AirAsia information resources and users from threats that could compromise privacy, productivity, reputation and intellectual property rights Data Governance Policy • Outlines how business activity monitoring should be carried out to ensure organisational data is accurate, consistent and protected • Defines the roles and responsibilities for management of information under various circumstances • Specifies what procedures should be used to manage different types of data User and Vendor Access Management SOP This procedure establishes security requirements in controlling access to the information systems of AirAsia. It describes the mechanisms used to implement access controls and responsibilities to assure a high level of information security within AirAsia Server, Database, Network Hardening SOP The objective of this document is to establish rules and procedures for hardening servers, database and network equipment. The goal of this hardening procedure is as follows: • Ensures a security baseline for all servers, database and network equipment in AirAsia • Minimises server and IT related risks • Complies with regulatory requirements Information Technology Security Incident Response SOP • Ensures operations recover quickly from information security incidents, minimising loss of information and disruption of services • Protects AirAsia’s reputation and minimise loss of credibility to customers • Provides technical guidelines on responding to incidents effectively and efficiently Our Group Information Security, Group Information Communication Technology (“ICT”) and Group Security departments oversee the overall management of information security, IT security and system/application security, and physical security respectively. Below are some of our key initiatives we have taken to manage information security and privacy: • Evaluations of the adequacy of controls for new information systems/applications • Evaluations of emerging security technologies • Promotion of security awareness in the organisation through security awareness programmes • Assurance of the adequacy of security controls by coordinating security reviews such as penetration testing and vulnerability assessments Key Cyber-Security Training Programmes Programme Frequency of Training Certified Cyber Security Practitioner One time IATA Aviation Cyber Security One time Information Security Awareness (Mandatory) Online with biennial refreshers ECONOMIC 140 MORE THAN JUST AN AIRLINE > SUSTAINABILITY STATEMENT (CONT’D)