Challenges and Commitments

Information technology has developed rapidly in the past years and plays a significant role in the business operations of organizations worldwide. This has resulted in cybersecurity threats being considered as a critical risk and challenge for global organizations. Therefore, GGC is well aware of the risks relating to information technology and cyber security which present themselves in the forms of obstacles from external attacks on the IT system or internal leakage of personal and corporate data. Such risks can affect GGC’s operations and the safety of the personal data of employees, customers and suppliers. Therefore, GGC strives to develop a system that creates an IT shield through a secure governance structure and compliance with the Personal Data Protection Act as well as trainings to create confidence, knowledge and understanding for employees.

Key Stakeholders

Employee
Customer
Government
Supplier and Business Partner

Goals

Zero leakage
of personal data, no complaints relating to cyber security incidents, and no employees or stakeholders fall victim to IT and cyber-attacks.

Management Approach

Cybersecurity Governance

GGC has established a policy for information technology security to be used as a guideline for the development of information security management systems and have a process of controlling the security of information technology systems according to standard ISO 27001: Information Security Management and Control Objectives for Information and Related Technologies (COBIT). This covers the procedures regarding the use of information (Procedure) in order to manage operations for information and cyber securities, as well as to prevent and reduce risks and potential impacts.

The Structure of Overseeing Information and Cyber Security

In addition, GGC has established an information security and cyber security governance structure, which is regarded as the main process in building information security and protection against cyber threats. The working group is divided into 3 levels: Committee level, Management level, and Operation level.

Governance Level Role
Board Level Audit Committee
  • Scope of authority includes supporting corporate governance with a focus on sustainable development, especially in terms of internal control, risk management, as well as Information Security and Cyber Security, chaired by a Board of Directors member.
GC Group’ s Digital & IT Steering Committee (DISC)
  • Scope of authority includes policy direction of the Company's digital and information technology to ensure that the goals remain consistent and meet international standards, comparable to leading international companies in the same business, chaired by the Chief Executive Officer and President.
ISMS Committee
  • Responsible for supervising information security, cyber security, and cloud security in line with international standards.
Enterprise Architecture (EA Committee)
  • Responsible for considering the management of the organization's technology structure to meet usage needs and maintain modern international standard in order to achieve maximum benefits.
Chief Information Security Officer: CISO
  • Responsible for setting goals and security policies in line with GGC's strategic plan. Develop information security policies according to the standards, steps, and guidelines in order for GGC to obtain Confidentiality of information, maintain the information Integrity, and the Availability or stability of the security of the information system. The officer is also responsible for coordinating control work and reporting cyber threat incidents to senior management and the Office of the National Cyber Security Commission.
Management Level
  • Responsible for setting data and information management policies such as Information Security (IS), Cyber Security Policy, Cloud Security Policy, Service Level Agreement (SLA), Secure System Development Life Cycle (SSDLC), and Data Protection, etc.
  • Responsible for implementing ISO Series (ISO 27001, ISO 27701, ISO 22301) and NIST Cybersecurity Framework as a framework for operating and controlling user operations so that data and information is accurate, and available. The management is also responsible for introducing both internal and external auditing systems to monitor and verify various processes to ensure that data and information are accurate, reliable and well-maintained.
Operation Level
  • Responsible for defining systems, practices, and various service systems related to the intranet system and providing training to employees in GGC to communicate and raise awareness of the importance and risks of information and cybersecurity, according to information security and cyber security management guidelines about the intranet system.
  • Responsible for following up on performance and using the results to improve IT management and service provision, as well as overseeing and improving the security of technology to ensure it is up to date. The operation level is also responsible for reporting to the management and the relevant committee on a regular basis.
  • Responsible for evaluating IT resource risks annually to ensure that the available resources are sufficient to protect data and to ensure that the information is accurate, reliable and up-to-date.
  • Responsible for implementing operations according to the operational plan in accordance with the ISO 27001 standard.
Mitigation Actions for Cyber Threats and Information Leaks
Continuously review information technology security policies.
Rehearse plans for cyber-attack threats and information system recovery plans within the company. Cooperate with the GC Group when arranging the risk management system according to the ISO 27001 guidelines by reviewing and regularly assessing the effectiveness of the information technology security action plan.
Establish a Personal Data Protection Act’s working team responsible for defining plans and procedures, including the evaluation of GGC’s performance in accordance with the Personal Data Protection Act.
Continually raise awareness and prepare employees in all levels as well as suppliers for cybersecurity threats by organizing training on the risks of cyber-attacks and information leaks, and improve knowledge of the Personal Data Protection Act, according to GGC’s operations manual.

Information Security and Cybersecurity Awareness

The Company raises awareness and prepares employees regarding cybersecurity at all levels through the knowledge testing, understanding and aware of e-mail based threats (Phishing Test) and 3 E-Learning Cyber Security Online lessons, with an understanding assessment through a post-test at the end of the lesson. Employees can apply the knowledge gained in their work.

1. Cybersecurity Case study: e-mail based threats

2. Maintaining security on personal devices

3. Protection of personal information

Phishing Test in 2023

In 2023, it was found that out of a total of 265 employees who participated in the test, 121 employees accurately reported phishing incidents, accounting for 46 percent of all participants. Additionally, one employee fell victim to phishing email, constituting 0 percent of the total. When compared to the previous test, the number of employees accurately reporting phishing incidents increased from 36 to 46 percent, while the number of victims decreased from 2 to 0 percent.

Process and Infrastructure

GGC has established an information security management system and asset security practices according to international standards and in compliance with cybersecurity practices. GGC also conducts annual inspections and reviews of the information and cyber infrastructure systems by external agencies. The past year’s review found that the process and infrastructure of GGC’s information and cyber systems meet international standards and do not have any defects.

In addition, GGC conducts a vulnerability assessment (VA) at least twice a year, the company implements a Business Continuity Plan. In 2023, GGC conducted its annual Cyber Incident Response Tabletop Exercise to test the stability of data security and information technology systems. A simulated scenario of a Cyber Attack was create by an external intrusion, who tries to penetrates GGC’s IT Security in order to gather company’s, leading to company data leakage.

In addition, GGC inspects for internal and external computer system vulnerabilities every 6 months in order to prepare a plan for protection and remediation from threats. GGC’s vulnerability severity levels are categorized into three levels: High Severity, Medium Severity and Low Severity.