Annual Report 2020

Data Governance Policy This policy clearly outlines the following: • How business activity monitoring should be carried out to ensure organisational data is accurate, accessible, consistent and protected • Roles and responsibilities for management of information under various circumstances • Procedures to manage and protect different types of data • Compliance with applicable laws, regulations and standards • Documentation of data trails within the processes associated with accessing, retrieving, exchanging, reporting, managing and storing of data Currently, our Group Information Security and the Information Communication Technology (ICT) Departments are responsible for guiding IT activities across the Group, establishing and maintaining IT policies, a security services framework, standards, guidelines, procedures, roles and responsibilities to manage our increasingly complex network. Collaborating with our Risk Department, compliance checks are undertaken to ensure best practices/industry recognised standards are adhered to. Each business unit, meanwhile, is accountable for the IT system(s) and data used; and for having the correct access rights assigned to users. Information Security Policy In 2020, we revised our IT Security Policy into Information Security Policy. The policy is designed to protect AirAsia information resources hence the Group’s reputation, legal position and ability to conduct its operations. Among others, it provides guidelines for IT users in AirAsia on how to use their laptops and other devices safely. This encompasses a range of activities from downloading apps or data, using emails and AirAsia’s social media platforms. Access Control Policy Issued in March 2020, the Access Control Policy supersedes our User and Vendor Access Management SOP. It serves to implement access controls across AirAsia’s networks, information systems and services to protect data confidentiality, integrity and availability. Access control systems are in place to protect the interests of all authorised users of AirAsia information systems, as well as data provided by third parties, by creating a safe, secure and accessible environment in which to work. Only users with IDs are authorised to access information on AirAsia’s systems. Server, Database, Network Hardening SOPs Issued in June 2020, these SOPs outline rules and procedures for hardening (or further protecting) servers, database and network equipment in order to create a security baseline for all servers, database and network equipment in AirAsia, thus minimise IT-related risks. Information Security Incident Response SOPs These SOPs provide technical guidelines on effective and efficient response to incidents ensuring the quick recovery of operations while minimising loss of information and service disruption. Each year, mandatory training on Information Security Awareness is carried out in line with our commitment to ISO 27001: Information Security Management System. Note: There was no breach of data policies during the year that warranted notification to the Personal Data Protection Commissioner. In 2021, we seek to maintain compliance with ISO 27001 and Payment Card Industry Data Security Standard (PCI DSS). We also plan to entrench data privacy principles into our data lifecycle and data management procedures. 109 ANNUAL REPORT 2020