Sustainability Report 2022

102 O N E R E P O R T 2 0 2 2 OVERVIEW BUSINESS OVERVIEW AND PERFORMANCE CORPORATE GOVERNANCE FINANCIAL INFORMATION SUSTAINABLE BUSINESS DEVELOPMENT Access to internal and external data recorded by the Company in digital form is conditionally restricted and requires passwords set according to the data level. All data must be kept on equipment or servers authorised by AirAsia Group Information Security. For Thai AirAsia, the ICT Department installs, manages, inspects and remedies any issues involving data usage and Company information technology. The Company’s information security policy was developed from the main measures in the Information Security Management System section of ISO 27001, which guides and supports organisations to understand the risks and vulnerable points of protected data systems, as well as the Payment Card Industry Data Security Standard (PCI DSS), a standard for improving payment security that is overseen by the PCI Security Standards Council (PCI SSC). Cyber Security Management Inpreparationagainst ever-changingcyber threats, Thai AirAsia constructed a process for annually reviewing, developing, and testing data security and implemented measures to defend against cyber-attacks based on evaluations of the present state and emerging risk factors. Moreover, AirAsia Group cooperated with Google to build a Cloud-based data security system. Constant monitoring for security breaches is carried out by the Information Security Department, which has set protocols for the reporting and resolving of issues in the following manner: Information Security Management and Framework Thai AirAsia manages information security according to the Standard Operating Procedures (SOPs) of AirAsia Group, which categorises data as follows: 1 2 4 3 Data Levels Data available to all parties involved or related to Thai AirAsia. Sensitive data only for internal use. Data that would result in severe effects towards the business if leaked or that is restricted by confidentiality agreements with clients or partners. Data under legal or contractual regulation or data that could affect the business if leaked. Public Internal Confidential Restricted 1 2 3 Data Type Customer Data [C] Service Data [S] Company or AirAsia Data [A] Personal customer data or date in which the customer has identified themselves. Data used in the conducting of business. Data and sensitive information of Thai AirAsia.

RkJQdWJsaXNoZXIy ODEyMzQ3