GC has issued cybersecurity policies and measures based on ISO 27001 as well as created awareness among employees, contractors, suppliers, customers and authorities or individuals operating on behalf of the company across the value chain to reinforce the security and stability of our information and cybersecurity management system and prevent any action in violation of the Cyber-Related Computer Crime Act.

In 2022, GC applied for information security management system Privacy Information Management System certifications according to ISO/IEC27001:2013 and ISO/IEC 27701:2019, respectively. The scope of certification is as follows:

Priority Scope of Application for ISO/IEC 27001:2013 and ISO/IEC 27701:2019
1 Infrastructure as a Service
2 Cloud Infrastructure as a Service
3 Cyber Zone / Internet Zone Network
4 External Recruitment Process and Application Supporting Recruitment Process

Additionally, GC has made preparations and reduced risks from cybersecurity threats and thefts by establishing and monitoring Key Risk Indicators (KRI) in all three dimensions, which are people, business, and technology.

Key Risk Indicator: KRI 2022

Target Group Action Key Risk Indicator (KRI) Target (%) 2022 Outcome (%)
People Conduct phishing test Phishing report rate (Quarterly) >= 20 % 49.09 %
Employees who passed Phishing Test (Quarterly) >= 95 % 97.70 %
Business Perform vulnerability assessment to improve information system security Vulnerability Fixed 100 % 99.97 %
Technology Update and improve protection system against cyber breaches and cyber-attacks to heighten data security Update Firmware and Signature on Firewall 100 % 100 %

Furthermore, GC also promotes knowledge on the safe use of information technology in tandem with information security/cybersecurity awareness trainings, infographics on data privacy and E-Learning to enable implementation in operations or the daily life by employees, contractors, suppliers (feedstock and non-feedstock), customers and authorities or individuals acting on behalf of GC across the supply chain.

Educating Employees on the Safe Utilization of Information Technology

Form of Communication Detail Content Sample
Infographics Use infographics to convey news and information via e-mail to create employee awareness, and use Microsoft Form to evaluate their knowledge and understanding
  • Encourage users to change the password for protection against ransomware
  • Safety precautions for linking personal accounts to online applications
E-Learning Create an online knowledge center that is accessible to employees with a focus on creating awareness and understanding of fundamental cybersecurity issues as well as comprehensive information on cybersecurity threats
  • Business E-mail Compromise (BEC)
  • Report Suspicions
  • Defending Against Malware
  • Physical Security and Cybersecurity Linkage

Outcome

  • Test score on cybersecurity knowledge = 100%
  • Contractors and suppliers must attend online training to acknowledge the Information Security Policy before accessing the company’s information system = 100%