Information Security

Basic Approach

In recent years, cyber attacks on the Internet have become more sophisticated on a global scale, and threats such as cyber terrorism using computer viruses, large-scale information leaks, and business email fraud are increasing.
As a corporate group responsible for the vital infrastructure of air transportation, our company has built an information security management system based on the ANA Group Information Security Management Rules Manual and we are routinely improving information system functions and taking security measures through defense in depth. The ANA Group's information security measures are based on the NIST-CSF (The National Institute of Standards and Technology Cybersecurity Framework).

Declaration of Information Security

ANA Holdings Inc. (hereafter "ANAHD") and companies which are linked with ANAHD through ANA Group management rules (hereafter "ANA Group") are fully aware of the importance of protecting information assets, including the personal information of customers. Therefore, ANAHD and ANA Group take the following measures to ensure compliance with relevant regulations and technical standards, handle such information assets accurately, safely, and appropriately according to the risks involved, and prove to be worthy of stakeholders' trust.

  1. ANA Group strives to ensure the confidentiality, integrity, and availability of the information assets in its possession.
  2. ANA Group will not disclose any information assets unless there are reasonable requirements to do so (requested by law, etc.).
  3. ANA Group establishes a special organization that addresses improvement of information security for the purpose of protection of information asset, provides as manual the measures to ensure information security and always makes efforts for maintenance and improvement of information security by means education, evaluation of effectiveness and audit of status of compliance.
  4. If any ANA Group executive or employee commits any act which impairs the confidentiality, integrity, and availability of any information asset, ANA Group will respond to such cases strictly according to established procedures.

Promotion System

The Group ESG Management Promotion Committee monitors progress of measures in accordance with the ANA Group Information Security Declaration, which states the ANA Group's basic stance on information security.The Chief ESG Promotion Officer(CEPO) shall organize ANA Group information security and assume the role of chief executive officer for promotion of ANA information security. Each group company strives to ensure information security by having in place an ESG Promotion Officer (EPO) as responsible for promoting it and an ESG Promotion Leader (EPL) to actively promote it.
The Group IT Promotion Officer is the Chief Information Officer (CIO) of the ANA Group and provides technical advice in close cooperation with the CEPO, and compiles a quarterly 'Digital Governance Report', which is reported at regular meetings of the ANA Board of Directors.
Under the supervision of the CIO, the ANA Group CSIRT conducts activities aimed at preventing security events and early recovery in the event of an incident, and promotes the measures necessary to strengthen information security.

The Group ESG Management Promotion Committee monitors progress of measures in accordance with the ANA Group Information Security Declaration, which states the ANA Group's basic stance on information security. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Group Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. In the event of an information security incident that is not related to the system, the Group General Administration will respond, and in the event of an incident related to the system, the ANA Group CSIRT (specialized team for responding to security incidents), which is made up of the Group General Administration, Group IT Department, and ASY, and which is established under the Group CIO, will respond promptly. In each company of the ANA Group, an ESG Promotion Leader is appointed under the ESG Promotion Officer. Furthermore, between the ESG Promotion Leader and Management and Employees, information owners (department managers) and system owners are placed to establish an information security promotion system.
The Group ESG Management Promotion Committee monitors progress of measures in accordance with the ANA Group Information Security Declaration, which states the ANA Group's basic stance on information security. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Group Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. In the event of an information security incident that is not related to the system, the Group General Administration will respond, and in the event of an incident related to the system, the ANA Group CSIRT (specialized team for responding to security incidents), which is made up of the Group General Administration, Group IT Department, and ASY, and which is established under the Group CIO, will respond promptly. In each company of the ANA Group, an ESG Promotion Leader is appointed under the ESG Promotion Officer. Furthermore, between the ESG Promotion Leader and Management and Employees, information owners (department managers) and system owners are placed to establish an information security promotion system.

Incident response flow

Personal information is essential for providing ANA Group services, and we consider it an important asset entrusted to us from our customers. In the event of an incident involving information security, such as the data breach of personal information, it is reported to the Group General Administration Department through the ESG Promotion Leader of the department in charge. In the event of a serious incident, we will promptly establish a crisis response system as stipulated in the Crisis Management Manual and respond to emergencies in cooperation with related parties inside and outside the company. We established ANA Group CSIRT (Cyber Security Incident Response Team), a specialized team to respond to security issues, to ensure a timely response in the event of an incident.

[Discovery/Notification] After recognizing the occurrence of an incident, the department in charge of the incident conducts fact-finding to understand the situation. The department then organizes the information, assesses the severity of the incident, and reports to the Group CSIRT. The Group CSIRT reports to the Chief ESG Promotion Officer and the Group IT officer. The Chief ESG Promotion Officer assesses corporate risks, while the Group IT officer assesses IT risks. [Triage] Upon receiving the report, the Group CSIRT considers triage support, coordination with external parties, and the necessity of external disclosure based on the received report. [Incident Response] The department in charge of the incident conducts an analysis of the incident, identifies the root cause and scope of impact, and establishes a response plan. The Group CSIRT confirms the effectiveness of the response plan and provides support such as revising the plan if necessary. The Chief ESG Promotion Officer and the Group IT officer collaborate closely to make decisions on response plan implementation, external disclosure, and provide instructions to the Group CSIRT. [Improvement/Prevention] Group CIRT and the department in charge of the incident will organize the remaining issues and manage medium- to long-term issues.

Major Initiatives

Protection of Personal Information

In order to comply with national and international laws and regulations on the protection of personal data, the privacy policy and relevant internal rules are being modified, and the Amended Act on the Protection of Personal Information of Japan, as well as revisions to laws in other countries (e.g. the U.S., Europe, China, and Thailand) are being appropriately addressed. We also conduct in-house training to each employee on the importance of protecting personal information and the need for strict handling of such information. In April 2023, the Privacy Governance Team was established as a dedicated governance structure to strengthen privacy governance in order to realize business development based not only on strict legal compliance but also on ethical appropriateness in the future use of data, including platform businesses utilizing customer data assets.

For more details Data & Privacy Governance

Cybersecurity Measures

ANA is designated as a critical infrastructure provider in Japan by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). We implement defense in depth in accordance with the guidelines formulated by related ministries. We monitor our security system 24 hours a day, 365 days a year. The use of intelligence (early warning information on cyberattacks) is extremely effective against cyberattacks as they become more sophisticated and cunning. The ANA Group utilizes preventive measures such as the Aviation ISAC (Information Sharing and Analysis Center) and the Transportation ISAC JAPAN, as well as dark web research. We also introduced the Zero-Trust concept to defend against attacks and ensure reliability by checking with the person operating the system, the equipment generating the communication, and system processing. In light of recent cybersecurity incidents at other companies, there is a growing need to strengthen not only the ANA Group security measures but also the defense of our entire supply chain. We will strengthen cooperation with related ministries, Keidanren (Japan Business Federation), and other related agencies to spread awareness of the need to strengthen security.
Our top material issue is to address the visualization of the IT assets of each company in the ANA Group supply chain. We identify issues and vulnerabilities through managing attack surfaces, which are points of external attack at each group company. Any issues and vulnerabilities discovered are prioritized and kept closely informed, communicated, and consulted so that each group company can take the necessary countermeasures.
The ANA Group IT Chart (a management document uniquely created by the ANA Group to monitor the IT usage status of each group company (e.g. OS and other versions of systems used, whether or not security screening is carried out, software license expiry dates, etc.)) is used to strengthen governance. Furthermore, as an organization above the ASY-CSIRT (ANA Systems-Computer Security Incident Response Team, a team that responds to security incidents when they occur), which handles security incidents on ANA systems, the ANA Group CSIRT has been established to handle security incidents that occur at each ANA Group company, and the system is being strengthened.
Information security advisories and refresher training materials are regularly posted on our website for employees to help develop security human resources, and we raise employee awareness of security through daily operations and Plus Security training.
The development of human resources specializing in security is an urgent issue. In addition to continuing to hire experienced personnel, we work to develop security supervisory personnel by recruiting transfers from other departments and having them attend specialized security training. As for our legal correspondence, we sequentially respond to privacy laws and regulations in each country. In Japan, we work closely with the national government, Keidanren, and other related organizations to promote the various IT systems and cybersecurity measures required by the Economic Security Promotion Act.

From FY19 to FY22, measures were implemented under the concept of Zero Trust Security, focusing on intrusion-based countermeasures rather than boundary defense.Specifically, security measures based on NIST-CSF(Cyber Security Framework), such as security by design, endpoint protection, security measures for group companies, legal compliance, human resource development, multi-layer defense, and threat intelligence utilization, were implemented. From FY23 to FY25, measures are being implemented under the concept of “Security for All,” emphasizing the thorough visualization of rules, IT assets, and departmental responsibilities to enhance security awareness among all group employees.Specific measures being implemented include continuous improvement of guidelines, visualization and protection of IT assets, legal compliance, prevention, defense, detection, response, recovery, industry-academia-government collaboration, education and training, and group governance. From FY26 onwards, the goal is to become a leading cybersecurity company and lead Japan’s important infrastructure companies in terms of security.

Implementation of Education and Training

In order to understand the importance of information security, including the protection of personal information, and the threat of cyber attacks, and to ensure that actions are taken to protect information assets, we have established a permanent e-learning system for Group employees and regularly provide them with knowledge that incorporates the latest examples.In the IT sector, CSIRT training is conducted monthly as training in preparation for security incidents, while training for management and relevant departments is conducted at least once a year.

Implementation of Information Security Risk Assessment

The ANA Group periodically conducts information security risk assessments at its domestic and overseas business sites by a team of specialists, and checks the status of information asset management from the perspective of a third party to identify and improve issues. In addition, we have established a self-inspection system that annually reviews the status of compliance with the regulations and are working to improve information security at each organization.We also strive to reduce risk by conducting regular vulnerability assessments and penetration tests, which are carried out once a quarter on key systems.

pagetop