Skip to Main Content

Information Security Policy

EVA Air Information Security Policy

Last updated on 2 Jan, 2025

1. Purpose

EVA Air (hereinafter, the “company”) formulate this policy based on the company's business needs to ensure the confidentiality, integrity availability of information assets, and to avoid internal or external intentional or accidental threats.

2. Scope

This policy applies to all information processing operations and environments within the company, encompassing various control domains such as organization, personnel, physical facilities, and technology.

3. Applicable Personnel

(1). All personnel of the company, business related suppliers with its employees, temporary employees, etc., shall abide the rules and procedures of this policy and relevant management mechanisms.

(2). Any violation of information security regulations by the above-mentioned personnel shall be subject to disciplinary action pursuant to the company's management regulations or governed by the relevant contractual agreements.

4. Objectives

The company's information security objectives are as follows to ensure:

(1). The confidentiality of the company's information assets and implementation of data access control.  Only authorized employees are granted access to data.

(2). The integrity of the company's information operations management, and avoid unauthorized modification.

(3). The business continuity to enable the company to continue operations of its information systems.

(4). Maintaining a high level of information security awareness among all personnel.

(5). Maintaining compliance with the information security requirements of the stakeholders.

5. Control Measures

(1). To ensure the adequate protection of all information and information assets, appropriate information security organizational controls shall be implemented. An information security management system shall be established, documented, implemented, and maintained to promote and maintain the related management, operational, auditing activities, as well as continuous improvement of the system's effectiveness.

(2). Appropriate personnel control measures shall be implemented to ensure that job duties and responsibilities for all personnel involved in information security are clearly defined, assigned and communicated. All personnel shall possess the necessary expertise and awareness for their roles with segregated responsibilities.

(3). Ensure the safety of the working environments to prevent the theft or damage of information assets, by implementing physical access controls.

(4). To manage risks arising from vulnerabilities in information security, by implementing technical controls.

(5). The management level shall commit to maintaining information security, continuously improving the quality of information security, reducing the occurrence of information security incidents, and safeguarding the interests of customers.

(6). Information security shall be integrated into the information project management life-cycle.

(7). This policy shall serve as a foundation for the development of specific information security management guidelines and regulations.

6. Policy Review

This policy shall be reviewed at least once a year to comply with relevant laws and regulations and the latest developments in information business, and the policy will be amended if necessary.