Process and Infrastructure
GC has implemented an information security management system and asset security practices in accordance with cyber-related international standard ISO/IEC 27001:2013. In 2021, the scope of application for ISO/IEC 27001 certification has been extended, which this extension covers personal data security of candidate in recruitment process. This will ensure the security and personal data privacy of the candidates.
Our assurance process is conducted annually by a third party (Bureau Veritas) which covers the information infrastructure and security management system, and to ensure that systematic errors were not detected and the operation system complies with international standards.
Moreover, GC has managed and organized cyber threats with NIST framework to enhance cybersecurity for entire organization. The NIST could be divided in the following five aspects.
NIST Framework and Outstanding Information and Cybersecurity Projects in 2021
No. | Process | Detail |
---|---|---|
1. | Identify |
GC conducted the Cybersecurity Gap Analysis according to NIST Standards in 2021. The assessment findings comprise three main points:
|
2. | Protect |
GC has developed the Data Protection Solution to increase security, reduce risks of information theft, and support the enforcement of the Personal Data Protection Act 2019 (PDPA) through the following processes:
|
3. | Detect | GC has executed the Compromise Assessment & Detection project to detect traces of information theft that had occurred to the company’s IT system by experts in internal system audit |
4. | Respond | GC has performed the Corporate Crisis Management Exercise on both the Information Technology (IT) and Operational Technology (OT) systems by simulating a ransomware breach in the refinery system |
5. | Recover | GC has expanded the scope of the Backup & Recovery system, which exclusively covered high-risk groups to include medium and low-risk groups in order to restore damaged data to as near normality as possible. The Disaster Recovery Exercise was also carried out and detected no data loss |
Information & Cybersecurity Performance
Year | Target | |||||
---|---|---|---|---|---|---|
2018 | 2019 | 2020 | 2021 | 2021 | ||
No. of cybersecurity incidents | 0 | 0 | 0 | 0 | 0 | |
No. of complaints about information insecurity | 0 | 0 | 0 | 0 | 0 |