GC has implemented an information security management system and asset security practices in accordance with cyber-related international standard ISO/IEC 27001:2013. In 2021, the scope of application for ISO/IEC 27001 certification has been extended, which this extension covers personal data security of candidate in recruitment process. This will ensure the security and personal data privacy of the candidates.

Our assurance process is conducted annually by a third party (Bureau Veritas) which covers the information infrastructure and security management system, and to ensure that systematic errors were not detected and the operation system complies with international standards.

Moreover, GC has managed and organized cyber threats with NIST framework to enhance cybersecurity for entire organization. The NIST could be divided in the following five aspects.

NIST Framework and Outstanding Information and Cybersecurity Projects in 2021

No. Process Detail
1. Identify

GC conducted the Cybersecurity Gap Analysis according to NIST Standards in 2021. The assessment findings comprise three main points:

  • Urgent development of personnel in information and cybersecurity
  • Continuous monitoring and improvement of information and cybersecurity systems
  • Application of advanced technology to handle new forms of threats
2. Protect

GC has developed the Data Protection Solution to increase security, reduce risks of information theft, and support the enforcement of the Personal Data Protection Act 2019 (PDPA) through the following processes:

  • Assess the potential of technologies used in information and cybersecurity systems
  • Improve policy on information classification
  • Issue information process manual and information management manual
  • Assign confidentiality level to personal information
3. Detect GC has executed the Compromise Assessment & Detection project to detect traces of information theft that had occurred to the company’s IT system by experts in internal system audit
4. Respond GC has performed the Corporate Crisis Management Exercise on both the Information Technology (IT) and Operational Technology (OT) systems by simulating a ransomware breach in the refinery system
5. Recover GC has expanded the scope of the Backup & Recovery system, which exclusively covered high-risk groups to include medium and low-risk groups in order to restore damaged data to as near normality as possible. The Disaster Recovery Exercise was also carried out and detected no data loss

Information & Cybersecurity Performance

Year Target
2018 2019 2020 2021 2021
No. of cybersecurity incidents 0 0 0 0 0
No. of complaints about information insecurity 0 0 0 0 0