1. Purpose

EVA Air (hereinafter, the “company”) formulate this policy based on the company's business needs to ensure the confidentiality, integrity and availability of information assets, and to avoid internal or external intentional or accidental threats.

2. Applicable Object

(1). All personnel of the company, business related suppliers with its employees, temporary employees, visitors, etc., shall abide the rules and procedures of this policy and relevant management mechanisms.

(2). The company may impose disciplinary measures against its employees who violate information security regulations.

3. Scope

In accordance with personal data protection laws, the EU General Data Protection Rule (GDPR), related laws and cost-effectiveness considerations, information assets including hardware, software, data, documents, personnel, etc., are under appropriate protection measures to avoid human error, intentional or natural disasters and other factors causing improper use, leakage, tampering, and damage, and reduce the risks and harm they may bring. Therefore, the scope of information security management includes:

(1). Information Security Organization.

(2). Personnel safety and management.

(3). Asset classification and control.

(4). Awareness, education and training.

(5). Risk assessment management.

(7). Management and control of data privacy lifecycle.

(8). Physical and environmental security management.

(9). Communication and operational management.

(10). Access control.

(11). System development and maintenance.

(12). Preservation of records, audit trail and evidence.

(13). Technical vulnerability management.

(14).Business continuity management.

(15). Monitoring and auditing system on information security.

(16).Compliance with regulations and other information security requirements.

4. Information Security Objectives

The company's information security objectives are as follows to ensure:

(1). The confidentiality of the company's information assets and implementation of data access control. Only authorized employees are granted access to data.

(2). The integrity of the company's information operations management, and avoid unauthorized modification.

(3). The business continuity to enable the company to continue operations of its information systems.

5. Information Security Controls

(1). Establish a formal organization to oversee the operation of the information security management system, identify internal and external issues of the information security management system, and meet interested parties' requirements and expectations for the company's information security.

(2). The management level shall commit to maintaining information security, continuously improving the quality of information security, reducing the occurrence of information security incidents, and protecting the rights and interests of customers.

(3). Information security management system documents should be updated in a timely manner. An explicit management system to protect the records shall be implemented.

(4). Information asset classification and risk assessment shall be performed on a regular basis.

(5). All personnel of the company have the responsibility and obligation to protect the information assets they hold or use.

(6). Role assignment shall consider the segregation of duties and functions. The scope of personnel’s authorities and responsibilities shall be differentiated to prevent unauthorized modification or misuse of information or services.

(7). Suppliers and their employees, temporary employees, and visitors who need to access information assets of the company shall be reviewed and receive information security education and training. These personnel are also responsible for protecting company’s information assets.

(8). Develop business continuity plan for information operations according to business requirements, and conduct operation drills regularly.

(9). Regularly inspect information security indicators and control procedures to maintain the effectiveness of information security management system.

(10). Ensure the safety of the working environments to prevent the theft or damage of information assets.

(11). Implement effective management of communication security.

(12). The development, modification, and establishment of information operations or procedures must meet the requirements of information security objectives.

(13). Applicable objects of this policy should pay attention to information security incidents, security vulnerabilities, and tentative violations of security policies and regulations at any time, and should report in accordance with procedures.

(14). Comply to relevant internal and external laws and regulations, establish due control procedures, and regularly perform information security audit.

(15). Security measures of mobile devices shall be implemented to manage the risks caused by the use of mobile devices.

(16). Information security shall be addressed in project management of information operation.

This policy shall be reviewed at least once a year to comply with relevant laws and regulations and the latest developments in information business, and the policy will be amended if necessary.