GC has developed an Information Technology (IT) Security Policy and information security measure in accordance with the ISO27001 - Information Security Management standards, and has Control Objectives for Information and Related Technologies (COBIT) in place, in order to serving as a practical scope for confidentiality, integrity, and availability of information.

The implementation framework under the policy acts as a guideline for the development of an information security administration system, including an IT security policy and a computer room physical security policy.

It also represents procedures ensure that information is consistent with the development of an information security administration system, including guidelines for accessing key systems, computer room access control, and information asset risk. It covers security and safeguarding measures against cyber threats in several cases e.g. systems to prevent computer virus spread (virus computer), cyber leaks of key data, and 2 Factor Authentication (2FA). Boundaries and authorities have been set for employee at all levels. To standardize the information security system throughout organization, all employees are required to strictly comply with the rules, regulations, policies, and procedures. In 2020, 99.32 percent acknowledged and complied with the information security policy.

In addition, GC have held IT and cybersecurity trainings for employees at all levels through online and off-line channels, in order to help employees understand the measures to act against unexpected cybersecurity threats.

In 2020, GC have held

cybersecurity seminars

employee participation of over

people

Phishing Test

GC has provided information and raise awareness to 7,500 employees regarding cybersecurity attacks and the threats from Phishing. For example, phishing through the announcement of virus computer and luring exployees to share personal or financial information through e-mail. GC has stages a mock up phishing attack with its employees through the Company's email system and found that 96.17 percent of employees were aware of such attacks, and they were more cautious of cybersecurity threats in general.

Moreover, GC help training sessions through online channels by cybersecurity experts on internal control and internet scams such as Advanced Persistent Threat (APT) and Digital Signature to help employees be aware of emerging cybersecurity threats.

GC has established KPIs and KRIs to measure the efficiency of employees in the related-functions. GC has determined that 80 percent of this group of employees must acknowledge and study the policies IT and cybersecurity policies, and 80 percent of the same group of employees must pass the IT and cybersecurity training session.

Nevertheless, GC has determine KRIs to ensure that employees have skills to act appropriate when encountering IT or cybersecurity threats. This includes measures that are in accordance to relevant laws and regulations such as organizational wide acknowledgement of IT and cybersecurity policies at 90 percent, as well as provision of trainings to over 90 percent of employees.