GC has implemented an information security management system and asset security practices in accordance with cyber-related international standard ISO/IEC 27001:2013. GC has appointed external auditor to conduct assessment and verification on annually basis.
Our assurance process is conducted annually by a third party (Bureau Veritas) which covers the information infrastructure and security management system, and to ensure that systematic errors were not detected and the operation system complies with international standards.
Moreover, GC have conducted the Vulnerability Assessment (VA) and develop the Business Continuity Plan at least twice a year, in order to prepare for hacking incident. In 2020, GC tested the robustness of "Cyber Incident Response Tabletop Exercise" by simulating events (tabletop exercise) from cyberattacks with data leakage and hacking that could disrupt business operations and affect reputation.
In the case of such threat the Cyber Security incident Response Team (CSIRT) which consist of the TF-IT VP, IFM and the Infrastructure Architecture function will be responsible for governing and supporting operating team in respond to providing actions to control incidents. The Security Operation Center team (SOC Team) and CSIRT Commander, in cooperation with PTT Digital Network team is also formed to analyze and investigate root-cause of the incident occurred, prepare incident management process and reports to relevant parties to provide mitigation actions. SOC Manager will review the incident report and then proceed to approval of corrective actions further.
In addition to readiness of potential cybercrime, penetration tests and internal and external vulnerability assessments are conducted every six months (two phases) to prepare proactive actions and mitigation measures. GC defines vulnerability severity at three levels, including high, medium and low.
Vulnerability Severity Levels
Refers to a vulnerability level carrying a high risk of intrusion. An intruder can use this detected vulnerability to immediately attack the system with publicly available software on the internet, without having to modify the program and can cause a high level of damage to the information system.
Refers to a vulnerability level carrying a medium risk of intrusion. There is publicly available software on the internet but skills and expertise are required to modify the program to successfully attack the system. An intrusion can cause a medium level of damage to the information system.
Refers to a vulnerability level carrying a low risk of intrusion. There is no publicly available software. A high level of computer skills and expertise are required to successfully attack the system. The intrusion can cause a low level of damage to the information system. ำ
Detect issues will be reported to the responsible function for further correction, and there will be a working team to respond monitor the long-term risk. Additionally, System hardening is conducted annually, including installing and updating of anti-virus programs to the server and its clients. As there are regular system updates, GC also conducts daily, weekly and monthly data backups. In addition, standard software to be used must pass the test, and an annual audit must be conducted on hardware and software management. GC Group has the necessary insurance to lessen impacts resulting from operational failures.
In order to ensure business continuity, GC's cybersecurity drills, disaster recovery test and recovery procedures were formulated to handle the emergency situations, which might affect the main data system. The aforementioned recovery plans are rehearsed annually. The monitoring results will also be used to alert both plants and offices in case there are consequences that might lead to occurrence of cybersecurity threats.