Back to Corporate
SET: AP
9.20 Baht
-0.05 (-0.54%)
TH

Information Technology Security Policy

Scope

This policy covers the information technology operations of AP (Thailand) Public Company Limited and its affiliates. It applies to all types of the Company’s assets (regardless of whether such assets are located on company premises or elsewhere), including:

  • Information (e.g., databases, documents, emails), including personal data
  • Licensed software or custom-developed programs
  • Physical assets (e.g., computer rooms, computer equipment, laptops, tablets, printers, workspaces, etc.)
  • Employees and personnel hired by the Company
  • Various services (e.g., power backup systems, communication systems, network systems, etc.)

Definitions

  • Information Security refers to the preservation of confidentiality, integrity, and availability. This is to prevent unauthorized access, alteration, or loss of information that could render it unusable.
  • Information Security Measures refer to the processes involving identification of the context and associated risks related to information security (Identify), protection of information assets (Protect), detection of abnormal or suspicious events (Detect), Response to such incidents (Respond), and recovery of information assets from damage to ensure business continuity (Recover).

Details

The Company has established an overarching policy for managing information security, dividing key components into 14 categories as follows:

  1. Information Security Policy: The Company shall establish a written information security policy and communicate it to employees and all relevant external departments to ensure proper understanding and compliance. The policy shall be reviewed periodically or whenever there are significant changes affecting the organization.
  2. Organization of Information Security - Structure, Roles, and Responsibilities: The Company shall clearly define roles and responsibilities related to information security operations. Supervision, assessment, and monitoring of performance related to information security measures must be implemented accordingly.
  3. Human Resources Security: The Company shall implement security control measures related to personnel management and provide appropriate information security awareness and training. This is to ensure that all employees and external personnel hired by the Company understand and comply with the policy. Access rights must be revoked, and company property must be returned at the end of employment.
  4. Asset Management - Classification and Control: The Company shall maintain an asset register that identifies asset owners or custodians, establish usage and return policies, and ensure the proper destruction of data storage media based on the level of data confidentiality. Asset labeling must be in place to facilitate effective asset management and safeguard information assets in line with the Company’s security measures.
  5. Access Control: The Company shall implement secure access control for internal and external information systems. This includes setting password policies, defining and reviewing user access rights, and ensuring that all access permissions are granted in accordance with company regulations.
  6. Encryption for Confidential Information: The Company shall implement appropriate encryption measures to protect important confidential data, ensuring that such information can only be accessed or used by authorized individuals. This involves computer-based encryption processes to convert readable data into unreadable formats (encryption), which can only be made readable again using correct decryption methods (decryption).
  7. Physical and Environmental Security: The Company shall establish control measures to secure physical locations and environmental conditions. This includes controlling access to areas housing computer systems, power backup systems, air-conditioning systems, and other protective systems (e.g., fingerprint scanners, CCTV, automatic fire suppression). These controls prevent unauthorized individuals from accessing or damaging information assets. Equipment maintenance must also be ensured to keep systems in optimal, operational condition.
  8. Operations Security: The Company shall ensure information resources are properly planned and available, with suitable protection mechanisms in place. This includes logging abnormal events, monitoring system usage, backing up data, managing data transmission and exchanges (e.g., email, internet), and implementing change management controls to ensure the security and integrity of the Company's information systems.
  9. Communications Security: The Company shall establish measures to secure access to network systems. This includes network segmentation between internal and external users, and controlling external access via VPN, which must be pre-approved by authorized personnel. Use of personal computing devices on the Company’s network must also be pre-approved and granted only necessary access. Additionally, secure methods must be enforced for data transfers between internal units and external organizations.
  10. Systems Acquisition, Development, and Maintenance: The Company must apply security measures throughout the entire system development lifecycle, including development, testing, and the handling of test data. This also includes verifying the security of imported or exported data. These measures must be considered as part of any procurement or outsourcing activities with third-party service providers.
  11. Supplier Relationships: The Company must establish protective measures for information assets accessed by external service providers. Written agreements are required, including service contracts, confidentiality agreements, and personal data processing agreements. These agreements must define the obligations of external providers regarding access, processing, storage, and transmission of information, along with procedures for managing any changes in the services provided.
  12. Information Security Incident Management: The Company must assign responsible personnel and establish procedures to respond to incidents that impact the security of information systems, including violations of the Company’s personal data protection measures. This includes the reporting of abnormal incidents, security vulnerabilities, and personal data breaches to the Information Technology Management and relevant regulatory authorities.
  13. Information Security in Business Continuity Management: The Company shall establish an Information Technology Business Continuity Plan to address situations in which crises or disasters disrupt the normal operation of information systems or networks. The Company must be able to manage such issues in a way that allows continued service to customers according to the plan. Business continuity plans must be tested at least once a year or as appropriate, and the results must be used to improve the plan to ensure alignment with business operations.
  14. Compliance: The Company shall ensure compliance with applicable laws, regulations, and requirements set by government agencies and regulatory bodies, as well as with the contractual obligations binding the Company.

Roles and Responsibilities

  • IT Steering Committee is responsible for setting the direction and measures for information security, as well as providing support to ensure that operations align with the Company’s policy.
  • Chief Information Technology Officer (CITO) is responsible for overseeing and ensuring that operations comply with the information security policy announced by the Company.
  • Department Heads are responsible for the security of assets and information under their supervision, ensuring they are maintained securely in accordance with the Company’s policy. They must also coordinate with the IT department in auditing and assessing the effectiveness of implemented information security measures.
  • Employees, vendors, contractors, and consultants are responsible for adhering to the information security policy, standards, procedures, and operational guidelines relevant to their work in order to maintain information security.

Enforcement and Penalties

This policy forms part of the Company’s internal regulations. Any employee who violates or fails to comply with the policy may be subject to disciplinary action as specified in the Company’s work rules. Disciplinary measures will be considered and applied at the Company’s discretion.