Cyber Security Group Policy AIS Group

1.    Introduction

1.1 Objectives

1)   Determine the direction, principles, and details of managing and governance requirements for cyber security in accordance with laws, regulations, framework standards, standards, and requirements related to the company

2)   Develop a better understanding for employees to work in compliance with the policies, standards, procedure, guidelines, and laws related to the Computer Systems correctly and appropriately.

3)   For Employees and those who need to use or connect to the Company's Computer System, to be able to use the Company's Computer Systems properly.

4)   Prevent the Company’s Computer Systems and Information Technology from intrusion, theft, destruction, disruption, or any other criminal activities that may damage the business of the Company.

5)   This policy shall be effective on the day of proclamation.

1.2 Scope

This policy covers protecting and maintaining of the Company's cyber security either on the premises or off the premises, including the cloud that the Company supplies which covers:

1)   All Employees and departments of the Company.

2)   Third Parties have access to the assets related to the Company's Computer System and Information Technology.

1.3  Security Principles

This Security policy has an objective to achieve the following principles:

-      Confidentiality – Protecting the confidentiality of information, including personal information or information under the Company’s ownership by preventing access and disclosure of information from an unauthorized person.

-      Integrity – Ensuring that the Company's information shall not be edited, modified, or destroyed by an unauthorized person.

-      Availability – Ensuring that authorized users can access information and services quickly and reliably.

 

Adequate Security shall have an agreement and get attention in all matters involved. Which includes:

-      Security is the duty of all Employees.

-      Management and practice in Security is a process that must be done continuously at all times.

-      Conscience, self-discipline, responsible, and pay attention to work in compliance with the practices specified in the standard policies, standards, procedures, guidelines, and processes are the most crucial part of Security. A clear explanation to Employees to develop a better understanding of the roles and responsibilities of the Security that they are responsible ensures the Security operation is running effectively.

1.4 Definitions

1)   “Company" refers to Advanced Info Service Public Company Limited and any other subsidiary companies in the AIS group.

2)   “Employee" refers to an employee who is employed as a trainee, permanent staff, special contract employee and executives of any level employed by the company.

3)   “User” refers to the employees, including External Parties, which on the list of authorized users that are allowed to have an access password or/and have a password to access the processing equipment.

4)   “Supervisors” refers to an Employee who is supervisors of internal departments according to the organization structure of the Company.

5)   “Computer System” refers to all kinds of computer tools or equipments including hardware and software of all sizes, wired and wireless network equipments, data storage and transfer equipment, internet and intranet systems, as well as electrical equipment and various telecommunications that can work or can be used in the same way or similar to a computer. The system including the ones belongs to the Company, Company’s partner, other companies that are under installation and not yet delivered or the ones that the Company’s Employee is taking to install or for using within the Company premises.

6)   “Information Technology (IT)" refers to information, news, records, history, document content, computer program, computer data in images, sounds, marks, and symbols, whether stored in a format that can convey meaning to a person directly or through tools or any equipments.

7)   “Sensitive Information” refers to Information Technology which is important to the Company’s business operation or which the Company has obligations under the laws, business ethics, or contracts neither to disclose such information to other person nor to use such information for any benefits other than the Company’s business objective. Any leakages of such information may cause interruption or less efficiency to the Company’s business operation or disgrace to the Company’s reputation.

8)   “Important Systems" refers to a Computer System that the Company uses to provide business services that generate direct revenue, and the systems that support income generation including any other electronic systems that help the business operating normally and systems that have been defined by the information Security agency and Company’s information systems. However, if such vital systems stop working or lack of efficiency, it may cause the business operation to a halt or ineffective.

9)   “Remote Access” refers to a connection to access the computer or the Company's network system (via internal communication channels) or from outside the Company (via the Internet)

10) “System Owner” refers to internal departments that own Computer Systems and are responsible for that Computer System.

11) “Custodian” refers to a person assigned by the owner of the Computer System or Information Technology to support the work and control of the access to the Information Technology to comply with the requirements or the level of authorization that the Computer System or Information Technology owner determines.

12) “Administrator" refers to an employee assigned to responsible for using and maintaining the Computer Systems, including hardware, software, and any other peripherals that are assembled into a Computer System. The administrator is authorized to change, add, edit, and adjust the Company's Computer System to operate appropriately with efficiency in line with business needs and safety.

13) "Security" refers to any processes or actions such as prevention, sternness, precaution, care in use and maintenance of Computer Systems/ITs and Sensitive Information to prevent any attempts of either in-house Employee or outsider from accessing with intention to steal, destroy, and disrupt such system which may cause damages to the Company’s business.

14) “Third Party" refers to personnel or external agencies that conduct business or provide services that may grant access to IT and the Company's information processing equipment such as:

-           Business Partner

-           Outsource

-           Supplier

-           Service Provider

-           Consultant

-           Intern

 

2.    Roles and Responsibilities

2.1 Supervisor’s role

1)   Inform Employees about the policies, standard, procedure, work instruction, guideline, and processes of the Company related to cyber security.

2)   Look after, advice and warn in case of is any improper or inappropriate behavior.

3)   Consider penalty for offenders equally and fairly.

2.2 Employee’s and Third Party’s role

2.2.1        All Employees and Third Parties who have access information and Company’s computer systems must comply with the following:

1)   Learn, understand, and follow the policies, standard, procedure, work instruction, guideline, and practices of the Company related to Computer System and IT Security strictly.

2)   Fully cooperate with the Company to protect the Computer System security and Company information.

3)   Inform the Company immediately when seeing improper or inappropriate behavior or intrusion, theft, destruction, disruptive of work, or other criminal activities that may cause damages to the Company.

4)   To maintain password or any other codes given by the Company to access the Computer System or the Company’s information, the password or any other codes is the personal secret which must be kept in confidence and shall not be used by any other persons. In addition, the Employee and Third Party must change a password or any other codes upon its expiration or when the Employee and Third Party considers it is appropriate to do so. The new password or any other codes must be set up with discretion and must neither resemble the old password/code, be easy to guess nor be repeatedly used on every system that the Employee and Third Party is authorized to access based on IT Security Standard.

2.2.2        Employees and Third Parties granted computer usage must follow the following:

1)   To logout/logoff every system and shutdown the computer and any peripherals immediately when not in use for a long period of time or after working hours.

2)   To set up a password to lock the computer screen when not in use for a short period of time or leaving for other activities temporarily to prevent others from accessing the computer.

3)   To verify the information or data that has been downloaded to his/her computer every time by using updated anti-virus software.

4)   maintain password or any other codes given by the Company to access the company’s computer, the password or any other codes is the personal secret which shall be kept in confidence and shall not be used by any other persons. In addition, the Employee and Third Party shall change a password or any other codes upon its expiration or when the Employee and the Third Parties considers it is appropriate to do so. The new password or any other codes shall be set up with discretion and shall neither resemble the old password/code, be easy to guess nor be repeatedly used on every system that the Employee and Third Party is authorized to access based on IT Security Standard.

2.2.3        Employees with duties related to Third Parties must guide the Third Parties to work in compliance with the cyber security policy.

 

3.    Cyber Security Risk Management

Objective: To demonstrate acceptance and reduce the risk of cyber security which uses a consistent approach to risk management including Security measures to protect information that is consistent with the risk identification and assessment process.

Description

3.1    Security Risk Management Methodology

3.2    Internal Organization

 

4.    System Management

Objective: To have appropriate measures to protect Company assets

Description

4.1    Inventory and Ownership

4.2    Security Classification and Handling

4.3    Software Licensing

 

5.    Human Resource Management

Objective: To Employees understand their responsibilities including awareness of Security in the operations.

Description

5.1    Prior to Employment

5.2    During Employment

5.3    Termination and Change of Employment

 

6.    Third Party Management

Objective:

1.    To Third Party who contract with the Company understand their responsibilities including awareness of Security in the operations.

2.    To the Company reduce the risk of cyber security and data security violation.  

Description

6.1    Prior to Employment

6.2    During Employment

6.3    Termination and Change of Employment

6.4    Addressing Security When Dealing with Customers

 

7.    Physical and Equipment Security

Objective: To prevent unauthorized physical and equipment accesses which may cause damage and interference in the Company's Computer System.

Description

7.1    Physical Security

7.2    Equipment Security

 

8.    Communications and Operation Management

Objective:

1.    Ensure secure operation on the Computer System.

2.    Implement and maintain the appropriate level of cyber security and service delivery.

3.    Reduce the risk of Computer System failures.

4.    Protect and maintain the integrity and availability of information, software, and Computer Systems.

5.    Ensure the protection of data in the networks, including protection of other support infrastructure.

6.    Prevent unauthorized disclosure, editing, deletion or destruction of assets as well as business activities interruption.

7.    Maintain data security which exchanged within the Company and External Parties.

8.    Monitor unauthorized data processing.

Description

8.1    Operational Procedure and Responsibilities

8.2    Third Party Service Delivery Management

8.3    Capacity Management

8.4    Protection Against Malicious Software

8.5    Back Up and Restoration

8.6    Network Security Management

8.7    Removable Media Handling

8.8    Cloud Storage

8.9    Information Transfer

8.10  Monitoring

8.11  Patch Management

 

9.    Access Control Management

Objective: To control access to information and Computer System that only those who are authorized and prevent unauthorized access to the system and services.

Description

9.1    User Access Management

9.2    Password Management

9.3    Access Control

9.4    Mobile Computing and Teleworking

 

10.     System Acquisition, Development, and Maintenance

Objective: To provide Security as an essential component of procurement, development and maintenance of the system.

Description

10.1      Security Requirements for Systems

10.2      Correct Processing in Applications

10.3      Cryptographic Controls

10.4      Security of System Files

10.5      Security in Development and Support Processes

10.6      Vulnerability Management

 

11.     Cyber Security Incident Management

Objective: To reduce the risk and damage that may occur and ensure that cyber security incident, including weaknesses related to the system, has been communicated and being able to take proper actions in time.

Description

11.1      Management of Cyber Security Incident

 

12.     Business Continuity Management

Objective: To protect essential business processes from the impact of significant failures in Computer Systems or from disasters.

Description

12.1      Cyber Security in Business Continuity Management

 

13.     Regulatory and Compliance

Objective: To comply with the international standard and regulatory requirements, and to avoid violations of legal obligations, regulations, or employment contract relating to security, Computer Crime Act., Cyber Security Act., Electronic Transaction Act., Personal Data Privacy Act. including other relevant laws and regulations that are already in effect or shall be in effect in the future.

Description

13.1         Compliance with Legal Requirement

13.2         System Audit Considerations

 

Effective Date: 1 August 2023