Information Security

Basic Approach

In recent years, cyber attacks on the Internet have become more sophisticated on a global scale, and threats such as cyber terrorism using computer viruses, large-scale information leaks, and business email fraud are increasing.
As a corporate group responsible for the vital infrastructure of air transportation, our company has built an information security management system based on the ANA Group Information Security Management Rules Manual and we are routinely improving information system functions and taking security measures through multilayered defenses. ANA Systems Co., Ltd., which handles security measures for ANA Group systems, has obtained ISO 27001 certification.

Declaration of Information Security

ANA Holdings Inc. (hereafter "ANAHD") and companies which are linked with ANAHD through ANA Group management rules (hereafter "ANA Group") are fully aware of the importance of protecting information assets, including the personal information of customers. Therefore, ANAHD and ANA Group take the following measures to ensure compliance with relevant regulations and technical standards, handle such information assets accurately, safely, and appropriately according to the risks involved, and prove to be worthy of stakeholders' trust.

  1. ANA Group strives to ensure the confidentiality, integrity, and availability of the information assets in its possession.
  2. ANA Group will not disclose any information assets unless there are reasonable requirements to do so (requested by law, etc.).
  3. ANA Group establishes a special organization that addresses improvement of information security for the purpose of protection of information asset, provides as manual the measures to ensure information security and always makes efforts for maintenance and improvement of information security by means education, evaluation of effectiveness and audit of status of compliance.
  4. If any ANA Group executive or employee commits any act which impairs the confidentiality, integrity, and availability of any information asset, ANA Group will respond to such cases strictly according to established procedures.

Promotion System

The Group ESG Management Promotion Committee formulates and implements basic measures in accordance with the fundamental policy decided by the Board of Directors and the ANA Group Information Security Declaration, which states the ANA Group's basic stance on information security.
Each ANA department and Group company strives to ensure information security by having in place an ESG Promotion Leader (EPL) to actively promote it and an ESG Promotion Officer (EPO) to oversee its promotion.

Under the fundamental policy and principles of conduct determined by the Board of Directors, the “Group ESG Management Promotion Committee” formulates and proposes basic policies. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Group Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. The Group General Affairs Department assists the Chief ESG Promotion Officer. In addition, to prepare for incidents related to systems, a CSIRT (specialized team to respond to security incidents) is established under the Group IT Promotion Officer to ensure prompt response. In each company of the ANA Group, an ESG Promotion Leader is appointed under the ESG Promotion Officer. Furthermore, between the ESG Promotion Leader and Management and Employees, information owners (department managers) and system owners are placed to establish an information security promotion system.
Under the fundamental policy and principles of conduct determined by the Board of Directors, the “Group ESG Management Promotion Committee” formulates and proposes basic policies. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Group Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. The Group General Affairs Department assists the Chief ESG Promotion Officer. In addition, to prepare for incidents related to systems, a CSIRT (specialized team to respond to security incidents) is established under the Group IT Promotion Officer to ensure prompt response. In each company of the ANA Group, an ESG Promotion Leader is appointed under the ESG Promotion Officer. Furthermore, between the ESG Promotion Leader and Management and Employees, information owners (department managers) and system owners are placed to establish an information security promotion system.

Personal information is essential for providing ANA Group services, and we consider it an important asset entrusted to us from our customers. In the event of an incident involving information security, such as the data breach of personal information, it is reported to the Group General Affairs Department through the ESG Promotion Leader of the department in charge. In the event of a serious incident, we will promptly establish a crisis response system as stipulated in the Crisis Management Manual and respond to emergencies in cooperation with related parties inside and outside the company. We established a Cyber Security Incident Response Team, a specialized team to respond to security issues, to ensure a timely response in the event of an incident.

Major Initiatives

Protection of Personal Information

In order to comply with national and international laws and regulations on the protection of personal data, the privacy policy and relevant internal rules are being modified, and the Amended Act on the Protection of Personal Information of Japan, as well as revisions to laws in other countries (e.g. the U.S., Europe, China, and Thailand) are being appropriately addressed. We also conduct in-house training to each employee on the importance of protecting personal information and the need for strict handling of such information. In April 2023, the Privacy Governance Team was established as a dedicated governance structure to strengthen privacy governance in order to realize business development based not only on strict legal compliance but also on ethical appropriateness in the future use of data, including platform businesses utilizing customer data assets.

For more details Data & Privacy Governance

Cybersecurity Measures

The ANA Group is designated as a critical infrastructure provider in Japan by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). We implement defense in depth in accordance with the guidelines formulated by related ministries. We monitor our security system 24 hours a day, 365 days a year. The use of intelligence (early warning information on cyberattacks) is extremely effective against cyberattacks as they become more sophisticated and cunning. The ANA Group utilizes preventive measures such as the Aviation ISAC (Information Sharing and Analysis Center) and the Transportation ISAC JAPAN, as well as Dark-Web research. We also introduced the Zero-Trust concept to defend against attacks and ensure reliability by checking with the person operating the system, the equipment generating the communication, and system processing. In light of recent cybersecurity incidents at other companies, there is a growing need to strengthen not only the ANA Group security measures but also the defense of our entire supply chain. We will strengthen cooperation with related ministries, Keidanren(Japan Business Federation), and other related agencies to spread awareness on the need to strengthen security. Our top material issue is to address the visualization of the IT assets of each company in the ANA Group supply chain. We identify issues and vulnerabilities through managing attack surfaces, which are points of external attack at each group company. Any issues and vulnerabilities discovered are prioritized and kept closely informed, communicated, and consulted so that each group company can take the necessary countermeasures. Information security advisories and refresher training materials are regularly posted on our website for employees to help develop security human resources, and we raise employee awareness of security through their daily operations and +Security training. The development of human resources specializing in security is an urgent issue. In addition to continuing to hire experienced personnel, we work to develop security supervisory personnel by recruiting transfers from other departments and having them attend specialized security training. As for our legal correspondence, we sequentially respond to privacy laws and regulations in each country. In Japan, we work closely with the national government, Keidanren, and other related organizations to promote the various IT systems and cybersecurity measures required by the Economic Security Promotion Act.

Implementation of Education

In order to understand the importance of information security, including the protection of personal information, and the threat of cyber attacks, and to ensure that actions are taken to protect information assets, we have established a permanent e-learning system for Group employees and regularly provide them with knowledge that incorporates the latest examples.

Implementation of Information Security Risk Assessment

The ANA Group periodically conducts information security risk assessments at its domestic and overseas business sites by a team of specialists, and checks the status of information asset management from the perspective of a third party to identify and improve issues. In addition, we have established a self-inspection system that annually reviews the status of compliance with the regulations and are working to improve information security at each organization.

pagetop