Information Security

Basic Approach

In recent years, cyber attacks on the Internet have become more sophisticated on a global scale, and threats such as cyber terrorism using computer viruses, large-scale information leaks, and business email fraud are increasing.
As a corporate group responsible for the vital infrastructure of air transportation, our company has built an information security management system based on the ANA Group Information Security Management Rules Manual and we are routinely improving information system functions and taking security measures through multilayered defenses. ANA Systems Co., Ltd., which handles security measures for ANA Group systems, has obtained ISO 27001 certification.

Declaration of Information Security

ANA Holdings Inc. (hereafter "ANAHD") and companies which are linked with ANAHD through ANA Group management rules (hereafter "ANA Group") are fully aware of the importance of protecting information assets, including the personal information of customers. Therefore, ANAHD and ANA Group take the following measures to ensure compliance with relevant regulations and technical standards, handle such information assets accurately, safely, and appropriately according to the risks involved, and prove to be worthy of stakeholders' trust.

  1. ANA Group strives to ensure the confidentiality, integrity, and availability of the information assets in its possession.
  2. ANA Group will not disclose any information assets unless there are reasonable requirements to do so (requested by law, etc.).
  3. ANA Group establishes a special organization that addresses improvement of information security for the purpose of protection of information asset, provides as manual the measures to ensure information security and always makes efforts for maintenance and improvement of information security by means education, evaluation of effectiveness and audit of status of compliance.
  4. If any ANA Group executive or employee commits any act which impairs the confidentiality, integrity, and availability of any information asset, ANA Group will respond to such cases strictly according to established procedures.

Promotion System

The ANA Group addresses information security as part of its risk management. The Chief ESG Promotion Officer (CEPO) supervises information security as the chief executive officer. The Group ESG Management Promotion Committee chaired by CEPO formulates and proposes basic policies and carries out operations in accordance with basic policies determined by the Board of Directors.

Personal information is essential for providing ANA Group services, and we consider it an important asset entrusted to us from our customers. In the event of an incident involving information security, such as the data breach of personal information, it is reported to the Group General Affairs Department through the ESG Promotion Leader of the department in charge. In the event of a serious incident, we will promptly establish a crisis response system as stipulated in the Crisis Management Manual and respond to emergencies in cooperation with related parties inside and outside the company. We established a Cyber Security Incident Response Team, a specialized team to respond to security issues, to ensure a timely response in the event of an incident.

Major Initiatives

Personal Information Protection

In recent years, various laws and regulations related to personal information and privacy have been established in Japan and overseas. We have therefore revised our privacy policy and relevant internal regulations to ensure compliance with the General Data Protection Regulation (GDPR), established in the European Union in 2018, and the China Cybersecurity Law (CCSL) and the California Consumer Privacy Act (CCPA), established in 2020.

Cybersecurity Measures

The ANA Group is designated as a critical infrastructure provider in Japan by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). We implement security measures at entrance and exit control, and we have adopted antivirus measures in accordance with the guidelines formulated by the Ministry of Economy, Trade and Industry (METI). We monitor our security system 24 hours a day, 365 days a year.
Cybersecurity intelligence is most effective when providing early alerts to counter cyberattacks. Therefore, we participate in information sharing organizations, such as the Aviation Information Sharing and Analysis Center (A-ISAC), which consists of airline, aircraft manufacturer, and other members. We also participate in the Surface Transportation Information Sharing and Analysis Center (ST-ISAC). In these ways, we acquire information from internal and external industry sources as early as possible for use in taking preventive measures.
The Keidanren (Japan Business Federation) published the Cyber Risk Handbook for Directors in autumn 2019. We develop measures assuming that incidents are inevitable. Since the utilization of digital technology is an important means for corporate growth, we understand that we must take a balanced approach. The ANA Group sees cybersecurity as a risk management issue to be addressed by the entire group, including our board of directors.

Development of Specialized Human Resources

In addition to training security experts in cooperation with external organizations and actively sharing information with other companies to improve our knowledge, we also conduct drills to quickly establish an initial response system in event of a problem and to minimize its impact by taking countermeasures in cooperation with each department.

Implementation of Education

In order to understand the importance of information security, including the protection of personal information, and the threat of cyber attacks, and to ensure that actions are taken to protect information assets, we have established a permanent e-learning system for Group employees and regularly provide them with knowledge that incorporates the latest examples.

Implementation of Information Security Risk Assessment

The ANA Group periodically conducts information security risk assessments at its domestic and overseas business sites by a team of specialists, and checks the status of information asset management from the perspective of a third party to identify and improve issues. In addition, we have established a self-inspection system that annually reviews the status of compliance with the regulations and are working to improve information security at each organization.

pagetop