Information Security Policy and Commitments

政策使命與價值(Policy Mission and Values)

長榮航太科技(以下簡稱「本公司」)致力於確保資訊資產之機密性、完整性及可用性。本政策旨在支持公司業務之持續運作、保護客戶與公司之智慧財產,並確保產品品質。針對航空器維修活動,本公司承諾每一項資安行動均旨在提升航空安全,確保適航資料與維修紀錄之真實與完整。

Evergreen Aviation Technologies Corp. (hereinafter referred to as "the Company") is committed to ensuring the Confidentiality, Integrity, and Availability of information assets. This policy aims to support the continuity of business operations, protect the intellectual property of our customers and the Company, and ensure product quality. Regarding aircraft maintenance activities, the Company pledges that every information security action is intended to enhance aviation safety, ensuring the authenticity and integrity of airworthiness data and maintenance records.

適用對象(Applicability)

本政策適用於本公司全體人員、業務相關供應商及其員工、訪客等。所有人員均有義務遵守本政策及相關管理機制。對於違反資訊安全規定之員工,本公司將依管理規章視情節輕重採取相應之懲戒措施。

This policy applies to all personnel of the Company, business-related suppliers and their employees, and visitors. All individuals have an obligation to comply with this policy and its associated management mechanisms. For employees who violate information security regulations, the Company will take corresponding disciplinary measures based on the severity of the offense, in accordance with the Company's administrative rules.

核心目標與承諾(Core Objectives and Commitments)

本公司承諾透過落實資訊安全管理系統,致力於達成以下目標:
The Company commits to implementing the Information Security Management System (ISMS) to achieve the following objectives:

  • 法規與標準遵循:遵守適用法令(如 EASA Part-IS)、合約義務,並參考國際資安標準(如 ISO 27001)與最佳實務,建立標準化管理流程與作業程序。
    Compliance with Laws and Standards: Adhere to applicable regulations (such as EASA Part-IS), contractual obligations, and reference international information security standards (such as ISO 27001) and best practices to establish standardized management processes and operating procedures.
  • 流程整合:致力於將資訊安全管理系統要求落實並嵌入本公司各項業務流程中,確保資安管理與日常營運緊密結合。
    Process Integration: Commit to implementing and embedding ISMS requirements into all business processes of the Company, ensuring that information security management is closely integrated with daily operations.
  • 保護資通訊系統與基礎設施:強化實體與環境安全管控,確保資通訊系統及基礎設施之完整性及可用性。
    Protection of ICT Systems and Infrastructure: Strengthen physical and environmental security controls to ensure the integrity and availability of Information and Communication Technology (ICT) systems and infrastructure.
  • 確保營運持續:建立並演練資訊作業持續運作計畫,以支援公司業務之持續運作機制。
    Ensuring Business Continuity: Establish and exercise Business Continuity Plans (BCP) to support the continuity of the Company’s operations.
  • 強化資訊分類:建立資訊分類與防護機制,確保本公司產生或收受自第三方之資訊資產,依其敏感度獲得適當之保護。
    Strengthening Information Classification: Establish information classification and protection mechanisms to ensure that information assets generated by the Company or received from third parties are appropriately protected according to their sensitivity.
  • 績效與持續改進:設定可衡量的績效指標並定期評估其達成狀況,同時提供充足資源,依據相關法規要求(例如EASA Part-IS)及產業標準,持續提升資安流程之成熟度。
    Performance and Continuous Improvement: Set measurable performance indicators, regularly evaluate their achievement, and provide sufficient resources to continuously enhance the maturity of information security processes in accordance with regulatory requirements (e.g., EASA Part-IS) and industry standards.

權責與組織文化(Responsibilities and Organizational Culture)

  • 領導責任:資訊安全是各級主管的基本職責。
    Leadership Responsibility: Information security is a fundamental responsibility of managers at all levels.
  • 公正文化:本公司鼓勵落實公正文化,支持並激勵人員主動通報資安弱點、可疑/異常事件及資安事故,而不必擔心受到不當處分。
    Just Culture: The Company encourages the implementation of a "Just Culture," supporting and motivating personnel to proactively report information security vulnerabilities, suspicious/abnormal events, and incidents without fear of undue retribution.
  • 意識宣導與溝通:本政策將定期或於修訂時進行培訓宣導,並確保溝通予所有相關方。
    Awareness and Communication: This policy will be promoted through training and awareness programs regularly or upon revision, ensuring communication to all relevant parties.

政策審查與持續改進(Policy Review and Continuous Improvement)

本公司將於組織活動、複雜度發生變更,或發現本政策未能有效應對現有風險時,立即進行審查與修訂,且至少每年進行一次定期審查,以確保其持續適用性與有效性。

The Company will immediately review and revise this policy upon changes in organizational activities or complexity, or when it is found that the policy is no longer effective in addressing existing risks. Additionally, a formal review will be conducted at least annually to ensure its continued suitability and effectiveness.