103 O N E R E P O R T 2 0 2 2 OVERVIEW BUSINESS OVERVIEW AND PERFORMANCE CORPORATE GOVERNANCE FINANCIAL INFORMATION SUSTAINABLE BUSINESS DEVELOPMENT Cyber Security Operation and Maintenance 1. Operation and Maintenance Thai AirAsia has the Group Information Security body, established under Capital A, led by the Chief Information Security Officer (CISO) to oversee cyber security and delineate operations by priority to the Company. Its duties include: 1. Evaluation and management of new systems/ applications 2. Evaluation of new technology security 3. Inspection and monitoring of server and network security 4. Inspection of computer security incidents and management of major security incidents 5. Security management and protection of group data property 6. Security awareness promotion through training 7. Security endorsement and management through checks such as hacking tests and vulnerability assessments Internal information communication services are divided into three areas of responsibility; ICT Server, ICT Network and ICT Desktop. Each area must meet its own KPIs: 1.1. KPI System Target: All Company systems must be ready for operation. Server Availability must be no lower than 97 percent each month. 1.2. KPI Network Target: Network connectionsmust be ready for operation and connected to AirAsia Group systems for continual operation. Network Availability must be no lower than 97 percent each month. 1.3. KPI Support Target: ICT issues must be resolved within the timeframeof theirpriority. Timely resolutions must be no lower than 97 percent each month. Resolution timeframes are as follows: 2. Information Security Training for Employees Thai AirAsia provides “Information Security Awareness” materials to employees for their understanding and awareness of the importance of information security. All employees must undergo training in this topic at the start of their employment and are then notified to undergo a review once annually. Each employee receives at least one hour of information security training each year. A source for further study of information security is also provided for the better understanding of employees. In 2022, there were 70 percent of all employees trained on Information Security topic. Priority 1 issues must be resolved within 3 hours Priority 2 issues must be resolved within 1 day Priority 3 issues must be resolved within 3 days Priority 4 issues must be resolved within 5 days Information Security Awareness Education 2022 Roadmap R O A D M A P - What is information security information and/or data? - Characteristics-CIA - Importance of data - Building Blocks to Protect Information/Data - PCI DSS & ISO 27001 - Type of Data and Level of Sensitivity - Data Classification - Data Handling - Data Disclosure To External - Acceptable Use - Use of Corporate Email - Use of Corporate Internet - Use of Personal Devices for Work - Proper Handling of Passwords - Password management - Proper Handling of Credit Card Data - Data Privacy Principles - Access Control Policy & Data Governance Policy - Good Information Security Habits - Reporting Information Security Incidents 1 2 3 4 5 6
RkJQdWJsaXNoZXIy ODEyMzQ3