Information Technology Security Policy
Information Technology Security Policy
T.H. NIC Co., Ltd., hereinafter referred to as “the Company,” has implemented an information technology system to facilitate employees in their work. To ensure that this system meets the expectations and needs of stakeholders, particularly in terms of having practices, tools, and standards that are modern, efficient, and secure according to international standards, the Company aims to ensure that all IT operations are secure and reliable. Furthermore, the Company will adequately protect its information and IT assets while considering risks from potential security threats and cyber security issues. Measures will be put in place to maintain confidentiality, accuracy, completeness, and availability for proper operations while complying with regulations, rules, and laws regarding information security. Therefore, the following IT security policy has been established:
1. The Risk Assessment and Management
The project owner or the designated individual responsible for overseeing the company's information systems must ensure the management of risks related to information technology. This includes the identification of risks, risk assessment, and the implementation of risk controls that fall within the company's acceptable thresholds. Additionally, a responsible party must be appointed to manage information technology risks appropriately, ensuring that the management of these risks is conducted effectively.
2. Management of Information Technology Resources
The project owner or the designated individual responsible for overseeing the company's information systems must ensure the management of information technology resources aligns with the company's strategic plan. This includes overseeing human resources and information technology systems that are sufficient to support information technology operations. Additionally, there must be a management strategy in place to address significant risks if resources cannot be adequately allocated for information technology operations.
3. Security of Information Assets
3.1 Control of Access to Data and Information Systems
The project owner or the designated individual responsible for overseeing the company's information systems must establish security standards for information technology systems regarding access control and the use of the company's information systems. These standards should be appropriate to the type of data, its priority, or its classification level, as well as the access levels and access methods. Furthermore, measures must be implemented to prevent unauthorized intrusion through the network, including protection against malicious software that could harm the company's data.
3.2 Establishment of Physical Security and Environmental Safeguards
The project owner or the designated individual responsible for overseeing the company's information systems must establish measures to prevent, control, and maintain the physical security of information assets and information technology equipment that serve as the infrastructure supporting the company’s information systems. These measures should ensure that such assets are kept in a state of readiness and integrity, and also prevent unauthorized access to information assets or unauthorized disclosure of information.
3.3 Management of Information Data and Confidentiality
(1) Classification of Information Assets
The project owner or the designated individual responsible for overseeing the company's information systems must implement the data classification policy, which includes the categorization of information assets and the establishment of information confidentiality levels. These levels must align with relevant laws and regulations applicable to the company.
(2) Development of Backup Systems and Emergency Response Plans
The project owner or the designated individual responsible for overseeing the company's information systems must establish an appropriate backup information system, ensuring it is ready for use by selecting critical information systems. This will facilitate the continuous normal operation of information access. Additionally, the emergency preparedness plan must be regularly updated to ensure it is suitable and aligned with operational requirements. The responsibilities of personnel overseeing the information systems and backup systems must be clearly defined, and regular testing of the readiness of both the backup information systems and the emergency response plans must be conducted.
(3) Control of Data Encryption
The project owner or the designated individual responsible for overseeing the company's information systems must establish measures for data encryption and guidelines for selecting encryption standards that are appropriate to the risks associated with data at each defined confidentiality level. Furthermore, adherence to these policies and procedures must be monitored consistently.
3.4 Supervision of Operational Personnel
(1) Control of User Access
The project owner or the designated individual responsible for overseeing the company's information systems must implement controls regarding the use of information assets and information systems as follows:
1. Establishment of Protective Measures for Information Assets during Inactivity
The project owner or the designated individual responsible for overseeing the company's information systems must define appropriate measures to protect information assets, specifically equipment, during periods of inactivity. This should take into account the risk of unauthorized individuals accessing the equipment in place of the legitimate user.
2. Regulation of Mobile Device Usage and Remote Work from External Networks
The project owner or the designated individual responsible for overseeing the company's information systems must establish appropriate measures to ensure the security of portable communication devices. This involves assessing the risks associated with connecting such devices to the company's computer network and implementing controls for their use outside the company premises.
(2) Supervision of External Information Technology Service Providers (IT Outsourcing)
The project owner or the designated individual responsible for overseeing the company's information systems must establish requirements and operational frameworks for external information technology service providers to ensure efficiency and security. This framework should address scenarios where the primary service provider subcontracts other external service providers for information technology tasks. Additionally, internal personnel must be assigned to oversee these activities.
3.5 Management of Computer Network Systems and Information Data Transmission
(1) Ensuring the Security of Information Communication through Computer Networks
The project owner or the designated individual responsible for overseeing the company's information systems must ensure the effective management and security of the computer network. This includes establishing security requirements, service levels, and management needs in service agreements or contracts for network services, whether provided internally or externally. Additionally, appropriate segmentation of the computer network must be implemented, considering access requirements, information security impacts, and the criticality of the data on the network.
(2) Control of Information Data Transmission
1. The project owner or the designated individual responsible for overseeing the company's information systems must establish measures to control the transmission of electronic messages (e.g., email, instant messaging). Important electronic messages must be adequately protected against unauthorized access, modification, or disruptions that could render the system inoperable.
2. Management must ensure that personnel and external entities working for the company sign confidentiality or non-disclosure agreements regarding the company's information in writing.
3.6 Protection Against Threats to Information Systems
(1) Prevention of Threats from Malicious Software
The project owner or the designated individual responsible for overseeing the company's information systems must implement measures for the detection, prevention, and recovery of systems to protect assets from malicious software. Additionally, relevant awareness programs for users must be established.
(2) Management of Technical Vulnerabilities
The project owner or the designated individual responsible for overseeing the company's information systems must ensure that the company’s information systems are assessed for potential technical vulnerabilities according to the following guidelines:
1. Conduct penetration testing on critical systems connected to untrusted networks at least once a year and whenever significant changes are made to those systems, based on risk and business impact analysis.
2. Perform vulnerability assessments on all critical systems at least once a year and whenever significant changes occur, and report the findings to relevant departments for awareness and remediation.
3. Test the procedures and processes for managing incidents that may impact the security of information systems at least once a year.
3.7 Procurement, Development, and Maintenance of Information Systems
The project owner or the designated individual responsible for overseeing the company's information systems must establish requirements for the procurement, development, and maintenance of information systems to minimize errors in defining requirements, and designing, developing, and testing new or enhanced systems. Additionally, it must be ensured that developed or procured systems comply with established agreements.
4. Policy Review
It is required that the information security policy for information technology systems be reviewed at least once a year or whenever significant changes occur. The project owner or the designated individual responsible for overseeing the company's information systems, along with other relevant parties, must update procedures and practices to align with any changes in the policy.
5. Evaluation of Performance and Internal Standard Assessments
An internal standard assessment must be conducted, which includes evaluating and measuring performance according to the laws, regulations, and standards established by the office, as well as other necessary standards for the office's operations. This is to ensure the effectiveness of operations and the security of information, including the office’s information systems.
6. Enforcement
This information security policy for information technology systems shall apply to employees, contractors, and personnel of T.H. NIC Co., Ltd., as well as external individuals and organizations providing services to the company. It shall take effect from the day following its announcement.
