Challenges and Commitments

GGC is well aware of the risks relating to information technology and cyber security which present themselves in the forms of obstacles from external attacks on the IT system or internal leakage of personal and corporate data. Such risks can affect the Company’s operations and the safety of the personal data of employees, customers and suppliers. Therefore, GGC strives to develop a system that creates an IT shield through a secure governance structure and compliance with the Personal Data Protection Act as well as trainings to create confidence, knowledge and understanding for employees.

Key Stakeholders

Employee
Customer
Government
Supplier and Business Partner

Goals

Zero leakage
of personal data, no complaints relating to cyber security incidents, and no employees or stakeholders fall victim to IT and cyber-attacks.

Management Approach

Cybersecurity Governance

GGC has established a policy for information technology security to be used as a guideline for the development of information security management systems.

This policy outlines a process of controlling the security of information technology systems according to standard ISO 27001: Information Security Management and Control Objectives for Information and Related Technologies (COBIT). This covers the procedures regarding the use of information (Procedure) in order to manage operations for information and cyber securities, as well as to prevent and reduce risks and potential impacts.

Information and Cyber Security Governance Structure

In addition, the Company has established an information security and cyber security governance structure, which is regarded as the main process in building information security and protection against cyber threats. The working group is divided into 3 levels: Committee level, Management level, and Operation level.

Governance Level Responsibilities
Board Level Audit Committee
  • Scope of authority includes supporting corporate governance with a focus on sustainable development, especially in terms of internal control, risk management, as well as Information Security and Cyber Security, chaired by a Board of Directors member.
GC Group’ s Digital & IT Steering Committee (DISC)
  • Scope of authority includes policy direction of the Company's digital and information technology to ensure that the goals remain consistent and meet international standards, comparable to leading international companies in the same business, chaired by the Chief Executive Officer and President.
ISMS Committee
  • Responsible for supervising information security, cyber security, and cloud security in line with international standards.
Enterprise Architecture (EA Committee)
  • Responsible for considering the management of the organization's technology structure to meet usage needs and maintain modern international standard in order to achieve maximum benefits.
Chief Information Security Officer: CISO
  • Responsible for setting goals and security policies in line with the Company's strategic plan. Develop information security policies according to the standards, steps, and guidelines in order for the Company to obtain Confidentiality of information, maintain the information Integrity, and the Availability or stability of the security of the information system. The officer is also responsible for coordinating control work and reporting cyber threat incidents to senior management and the Office of the National Cyber Security Commission.
Management Level
  • Responsible for setting data and information management policies such as Information Security (IS), Cyber Security Policy, Cloud Security Policy, Service Level Agreement (SLA), Secure System Development Life Cycle (SSDLC), and Data Protection, etc.
  • Responsible for implementing ISO Series (ISO 27001, ISO 27701, ISO 22301) and NIST Cybersecurity Framework as a framework for operating and controlling user operations so that data and information is accurate, and available. The management is also responsible for introducing both internal and external auditing systems to monitor and verify various processes to ensure that data and information are accurate, reliable and well-maintained.
Operation Level
  • Responsible for defining systems, practices, and various service systems related to the intranet system and providing training to employees in the Company to communicate and raise awareness of the importance and risks of information and cybersecurity, according to information security and cyber security management guidelines about the intranet system.
  • Responsible for following up on performance and using the results to improve IT management and service provision, as well as overseeing and improving the security of technology to ensure it is up to date. The operation level is also responsible for reporting to the management and the relevant committee on a regular basis.
  • Responsible for evaluating IT resource risks annually to ensure that the available resources are sufficient to protect data and to ensure that the information is accurate, reliable and up-to-date.
  • Responsible for implementing operations according to the operational plan in accordance with the ISO 27001 standard.
Mitigation Actions for Cyber Threats and Information Leaks
Continuously review information technology security policies.
Rehearse plans for cyber-attack threats and information system recovery plans within the company. Cooperate with the GC Group when arranging the risk management system according to the ISO 27001 guidelines by reviewing and regularly assessing the effectiveness of the information technology security action plan.
Establish a Personal Data Protection Act’s working team responsible for defining plans and procedures, including the evaluation of GGC’s performance in accordance with the Personal Data Protection Act.
Continually raise awareness and prepare employees in all levels as well as suppliers for cybersecurity threats by organizing training on the risks of cyber-attacks and information leaks, and improve knowledge of the Personal Data Protection Act, according to GGC’s operations manual.

Information Security and Cybersecurity Awareness

The Company raises awareness and prepares employees regarding cybersecurity at all levels through a total of 4 E-Learning Cyber Security Online lessons, with an understanding assessment through a post-test at the end of the lesson. Employees can apply the knowledge gained in their work.

1. Let’s Secure Your Behaviors

2. Let’s Secure Your Data Behaviors

3. Beware of Social Engineering Attacks

4. Cyber Security Reminder (Password)

Process and Infrastructure

GGC has established an information security management system and asset security practices according to international standards and in compliance with cybersecurity practices. GGC also conducts annual inspections and reviews of the information and cyber infrastructure systems by external agencies. The past year’s review found that the process and infrastructure of GGC’s information and cyber systems meet international standards and do not have any defects.

In addition, the company conducts a vulnerability assessment (VA) on the computer system and the business continuity plan at least twice a year. In 2022, GGC had a Cyber Incident Response Tabletop Exercise to test the security system by simulating an external cyberattack to hack into the company's information system.

In addition, GGC inspects for internal and external computer system vulnerabilities every 6 months in order to prepare a plan for protection and remediation from threats. GGC’s vulnerability severity levels are categorized into three levels: High Severity, Medium Severity and Low Severity.