GC has established policies and measures pertaining to information security and cybersecurity as well as personal data management in accordance with ISO/IEC:27001 and ISO/IEC: 27701. Moreover, GC continuously invests in improving its information security systems to ensure the security and stability of the information security and cybersecurity management system and to prevent any actions regarded as an offense under the Computer Crime Act and the Personal Data Protection Act, the company implements strict measures to ensure the integrity and protection of data.

In 2024, GC has expand the information security management system ISO/IEC 27001:2022 and the personal data security management system in line with ISO/IEC 27701:2019. The scope of application is as follows:

Priority Scope of Application for ISO/IEC 27001:2022 and ISO/IEC 27701:2019
1 Infrastructure as a Service On Premise
2 Cloud Infrastructure as a Service on Cloud
3 Platform as a Service - Cloud
4 Cyber Zone / Internet Zone Network
5 Application Supporting Recruitment Process, including SAP, HCM and Success Factor
6 External Recruitment Process
7 Hiring Process

GC has established information security-related business continuity plans and taken preparational steps by conducting a cyber threat management exercise and performed cyber-attack risk assessments to enable risk monitoring and serve as a warning signal for operations. In addition, an escalation process has been established to allow employees to report incidents, vulnerabilities, or any suspicious cyber activities.

Escalation process for reporting cybersecurity incidents or suspicious activities

Moreover, the company developed Key Risk Indicators (KRI) in all three dimensions, namely People, Business and Technology to monitor the performance of information and cyber security operations.

Key Risk Indicator: KRI 2024

Target Group Action Key Risk Indicator (KRI) Target (%) 2024 Outcome (%)
People Conduct phishing test Phishing report rate (Quarterly) >= 45 55.18
Phishing victim rate (quarterly) < 5 1.43
Business Perform vulnerability assessment to improve information system security Vulnerability Fixed 100 100
Technology Update and improve protection system against cyber breaches and cyber-attacks to heighten data security Update Firmware and Signature on Firewall 100 100

Furthermore, GC promotes a culture of shared responsibility for information security across the entire organization by establishing clear guidelines and policies. These are designed to ensure that all employees are aware of the importance of protecting data and understand their individual responsibilities in maintaining information security. The company also defines information security requirements for third parties who access its data or systems to ensure that all stakeholders adhere to the same security standards. GC also promotes knowledge on the secure use of information technology in tandem with information security/cybersecurity awareness trainings and data privacy via Infographics and E-learning to enable implementation in operations or the daily life by employees, contractors, suppliers (feedstock and non-feedstock), customers and authorities or individuals acting on behalf of GC across the supply chain.

Educating Employees on the Safe Utilization of Information Technology

Form of Communication Detail Content Sample
Infographics Use infographics to convey news and information via e-mail to create employee awareness.
  • Precautions and prevention against different forms of phishing, e.g., E-mail, SMS, QR code.
  • Precautions and risks of installing malicious application on smartphones and laptops.
  • Precautions and risks associated with using pirated software.
  • Precautions and risks of data leakage from using AI.
E-Learning Create an online knowledge center that is accessible to employees with a focus on creating awareness and understanding of fundamental cybersecurity issues as well as comprehensive information on cybersecurity threats.
  • Use AI safely to avoid becoming a victim of cyber threats.
  • Safeguard company data and protect it against digital-era threats.
  • Use licensed software to enhance data security.

Outcome

  • Test score on cybersecurity knowledge = 100%.
  • Contractors and suppliers must attend online training to acknowledge the Information Security Policy before accessing the company’s information system = 100%.