Information Technology and Cyber Security Policy

Currently, it is driven by technology. Cyber threats have become a challenging and difficult problem for organizations of all sizes. A strong and effective Information Technology and Cyber Security Policy is therefore an important shield. Protecting sensitive data, Build the customer confidence and strengthen stable for business

S. Khon Kaen Foods Public Company Limited has given importance to maintaining security. Therefore, knowledge and awareness of secure use of information systems has been created for users and staff by establishing policies, conducting training sessions, and distributing relevant documents through the company’s internal website. Additionally, the Information Technology and Cyber Security Policy is communicated to external service providers on relevant matters. he recruitment process is also conducted in accordance with defined criteria, including candidate screening and background checks. This involves verifying criminal records with the Royal Thai Police. Furthermore, the company establishes clear terms and conditions of employment to ensure compliance with organizational standards.

Objective

To ensure that the organization's information systems are managed appropriately, efficiently, and securely, while maintaining business continuity and preventing issues arising from improper use or potential cyber threats, the organization has established an Information Technology and Cyber Security Policy. This policy includes clearly defined standards, procedures, and work instructions covering all aspects of information security and threat prevention.

The objectives are as follows:

Scope

This Information Technology and Cyber Security Policy is in accordance with the information security management system standards (ISO/IEC 27001) It is applicable to the organization's information assets, asset custodians, asset users, boards of directors, executives, employees and important information infrastructure under the supervision of the organization. Other users who may be involved but are not directly responsible for asset management are also required to cooperate and comply with this policy. Any violation of this policy shall be considered guilty and must be processed according to organizational regulations.

Role and Responsibilities

1. Commander’s Responsibilities

2. Employees’ Responsibilities

Definitions

The definitions in this section provide clear and consistent meanings for terms used in this Information Technology and Cyber Security Policy and its practices.

  1. "Organization" refers to S. Khonkaen Foods Public Company Limited, which utilizes information systems, networks, and computer systems.
  2. "Chief Executive Officer (CEO)" refers to the highest-ranking executive of S. Khonkaen Foods Public Company Limited.
  3. "Employee" refers to personnel employed within the organization.
  4. "Commander" refers to a person with authority to issue directives according to the organization’s management structure.
  5. "User" refers to authorized individuals such as board members, executives, and employees who are granted access to use, manage, or maintain the organization’s information systems based on their roles and responsibilities.
  6. "User Rights" refer to the roles and responsibilities assigned to users regarding access to the organization’s information systems.
  7. "General Access Rights" refer to the basic access granted to board members, executives, and all employees to use the organization’s information systems. Users must request authorization from their department manager or supervisor using the organization’s designated request form.
  8. "Privileged Access Rights" refer to special access granted by commander on a case-by-case basis.
  9. "Computing Device" refers to a device equipped with a processor, memory, data storage, network interface, input, and display components, such as desktop computers, notebook computers, and peripherals like a mouse, keyboard, or monitor.
  10. "Third Party Service" refers to any individual or legal entity that provides IT-related services, connects to the organization’s IT systems, or has access to sensitive organizational or customer information.
  11. "Bring Your Own Device (BYOD)" refers to employee-owned computing devices that are used for work-related tasks.
  12. "Data Owner" refers to the individual responsible for a specific set of data within the organization. This includes the data owner's supervisor. The data owner is accountable for any loss or compromise of the data.
  13. "System Owner" refers to a person or department responsible for the overall management and operation of an information system, ensuring that it functions securely, efficiently, and in alignment with the organization’s IT and cyber security policies.
  14. "Information Security" refers to the protection of the confidentiality, integrity, and availability of information, as well as ensuring authenticity, accountability, non-repudiation, and reliability.
  15. "Data" refers to any meaningful representation of facts, whether in the form of printed media, reports, books, maps, drawings, photographs, CDs, DVDs, hard disks, flash drives, external HDDs, computer recordings, or other recordable formats.
  16. "Information" refers to processed or organized data presented in a format that is understandable and useful for planning, decision-making, or management purposes.
  17. "Social Media" refers to online platforms that allow users to exchange experiences and information through various communication formats, including:
    • Social Networking: Facebook, LinkedIn, Instagram
    • Publishing Platforms: Wikipedia, Tumblr, Online news sites
    • Picture & Video Sharing: YouTube, Flickr, Photobucket
    • Instant Messaging: Microsoft Teams, Line, Skype
  18. "Network System" refers to systems used for communication or data transmission between computers, such as LAN (Local Area Network), WLAN (Wireless LAN), and the Internet.
  19. "Internet" refers to a global system of interconnected computer networks that link multiple networks worldwide.
  20. "Intranet" refers to a private network accessible only to authorized users within the organization, designed for internal communication and information sharing.
  21. "Information System" refers to systems that use technology to create, process, manage, and communicate information, supporting activities such as planning, management, and operational control. It includes computer systems and telecommunication technologies like networks.
  22. "Change Management" refers to the process of controlling changes to information systems, including new system implementation or modifications to existing processes.
  23. "Capacity Management" refers to the management of resources and the determination of capabilities related to staff, operational plans, and other resources.
  24. "Vulnerability" refers to weaknesses in an information system that may be exploited by malicious actors, resulting in reduced performance or compromise.
  25. "Risk Assessment" refers to the process of identifying, analyzing, and evaluating risks that could impact information assets, systems or the organization, with the aim of understanding and mitigating those risks through appropriate planning and controls.

1.1 Information Technology and Cyber Security Policy

Objective

This Information Technology and Cyber Security Policy is established to define the direction, assess risks, manage data usage and dissemination, and enforce compliance with cyber security frameworks. Its aim is to ensure the confidentiality, integrity, and availability of information and information systems through effective management and internal control mechanisms. The policy is guided by a risk-based approach, encouraging all users to recognize the importance of information and cyber security, as well as the significance of risk management within the organization.

Procedures

  1. Top management is ultimately responsible for any risk or damage to the organization's information systems resulting from the neglect or failure to implement proper information and cyber security controls.
  2. A risk assessment must be conducted at least once per year, and additionally whenever there is a significant change. This assessment must take into account the internal context, external context, interested parties, the organization's vision and mission, changes in the cyber security environment, risks, and relevant international standards.
  3. The organization must define criteria for acceptable and unacceptable levels of risk, which will serve as a foundation for managing the risks identified during the risk assessment process.
  4. The policy must be reviewed at least annually, or whenever significant changes occur, to ensure its continued relevance and effectiveness.
  5. The organization must promote awareness training on information and cyber security at least once a year, to ensure that all users understand their responsibilities and the importance of maintaining security.
  6. An audit plan must be established to review compliance with this policy and its associated guidelines. This audit must be conducted by internal auditors and/or external auditors at least once per year, with follow-up actions taken to correct, improve, or prevent issues based on the audit results.

1.2 Organization of Information Technology and Cyber Security

Objective

To establish an internal organizational structure, determine roles and responsibilities. responsibility Control measures Supervise and monitor the performance of duties for various departments within the organization appropriately.

Procedures

  1. Roles and Responsibilities
  2. Segregation of Duties

1.3 Asset Management Policy

Objective

To ensure the identification of critical organizational assets and establish clear responsibilities for protecting those assets against threats, vulnerabilities, intrusions, theft, and potential damage in an appropriate manner.

Procedures

Responsibility for Assets

  1. A comprehensive Asset List, including an IT Asset List and records of data stored across various media, must be created. Assets should be clearly categorized to facilitate valuation, and each asset must have an assigned owner. The asset list must be maintained, reviewed, and updated regularly to ensure accuracy.
  2. The Asset List and IT Asset List must be reviewed at least once a year to ensure they remain current and complete.
  3. For leased IT equipment, including computers, network devices, software, or IT systems, the responsible department must maintain a detailed inventory of all leased items.
  4. Upon termination of employment, contract expiration, or agreement conclusion, employees or external parties utilizing the Organization's assets must return all assets in their possession.
  5. A cybersecurity risk assessment of critical systems must be conducted at least once a year.

1.4 Access Control Policy

Objective

To manage access rights, identify users, establish durations, and control access to information systems strictly for authorized individuals, thereby preventing unauthorized disclosure or access to information systems and devices. This includes the establishment of operational guidelines and policies as follows:

  • Information System Access Control Policy
  • Operating System Access Control Policy
  • Application and Information Access Control Policy

1.4.1 Information System Access Control Policy

Objective

นโยบายการควบคุมการเข้าถึงและการใช้งานระบบสารสนเทศนี้จัดทำขึ้นเพื่อ

Procedure

  1. Define Information System Access and Usage Control
  2. Manage System Access Rights.
  3. Manage User Access
  4. Define User Responsibilities

1.4.2 Operating System Access Control Policy

Objective

To maintain security and prevent unauthorized access to the operating system.

Procedures

  1. Define controls for access to the organization's operating systems.
  2. Identify and authenticate users.
  3. Manage the Use of System Utilities.
  4. Set Usage Time Management for system access.

1.4.3 Application and Information Access Control Policy

Objective

To establish rules and controls for unauthorized access to the organization's applications and information.

Procedures

  1. 1. Control access to the organization's applications and information by restricting or limiting user access to specific information and functions within the applications.

1.5 Third Party Management Policy

Objective

The use of external service providers (third party) may introduce various risks, such as unauthorized access to data, improper data modification, unauthorized system processing, and cyber threats. Therefore, it is essential to implement controls over third party who access the organization’s information and communication systems. This includes establishing secure practices, as well as setting guidelines for the selection, operational control, and performance evaluation of third party.

Procedures

  1. Information Technology and Cyber Security Policy on Third Party Relationships
    The organization’s Information Technology and Cyber Security Policy must specify security requirements related to third party. All relevant personnel must assess potential risks and define preventive measures to mitigate these risks before allowing any third party or external service provider to access the organization’s information systems or use its information assets.
  2. Access Control for External Service Providers (Third Parties)
    Any access by third parties to information systems or processing equipment must be preceded by a risk assessment, with appropriate mitigating measures in place. Third parties requesting access to the organization’s information sources must obtain written approval from the data owner’s supervisor, manager, or department head, who is fully responsible for the actions of the third party. The access period must also be clearly specified.
  3. Selection of External Service Providers (Third Parties)
    The selection process must follow the established Supply Chain Management Procedure and relevant documentation to ensure compliance and security in procuring external services.
  4. Security Requirements in Service Agreements
    Information security requirements must be clearly stated in the service agreements with external providers, especially in relation to access, processing, storage, communication, and the delivery of the organization’s information services.
  5. Third-Party Service Delivery Management
    The services provided by third party must be regularly monitored, reviewed, and audited at least once a year to ensure compliance with contractual and security obligations. If there are any proposed changes in the services provided, the third party must notify the organization and obtain formal approval before implementing the changes. A risk assessment must also be conducted for any such changes.

1.6 Information Security Incident Management Policy

Objective

To ensure that incidents related to the security of the organization's information systems and cyber threats are handled correctly and within a designated or appropriate timeframe. This also includes establishing consistent methods for managing information and cyber security incidents within the organization.

Procedures

  1. Clearly define roles and responsibilities for managing information and cyber security incidents, including contact details of the relevant personnel.
  2. Establish procedures to handle cybersecurity breaches within the organization. This includes classifying incident scenarios, defining criteria, specifying response steps, activating the Disaster Recovery Plan (DRP) to limit the impact of incidents, and conducting post-incident reviews to prevent recurrence.
  3. Review the cyber threat response plan at least once a year from the date of the last approval or whenever there is a significant change. Cybersecurity incidents must be reported to the management for awareness and necessary action.

1.7 Business Continuity Management Policy

Objective

To provide a framework for managing the continuity of the organization’s operations during crisis and emergency situations. This ensures that essential business processes and information systems have appropriately established Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).

Procedures

  1. Define procedures for emergency preparedness planning.
  2. Develop and specify recovery procedures to restore operations to normal, including installation control, configuration, testing of recovered or replacement systems, and reporting of damage assessments to supervisors.
  3. Communicate and provide training to all relevant personnel, as well as test, update, and review the emergency plans regularly.
  4. Oversee or ensure the installation of backup information systems, backup equipment, or adequate systems to support continued service and maintain appropriate business continuity.

1.8 Compliance with Legal Requirements Policy

Objective

To prevent violations of applicable laws, regulations, contractual terms, and other security requirements relevant to operations. This policy serves as a guideline for the organization, employees, and other relevant parties to ensure compliance with legal standards and the organization’s Information Technology and Cyber Security Policies. All employees and stakeholders are responsible for understanding and complying with applicable policies, rules, laws, and contracts, including but not limited to:

  • Computer Crime Act B.E. 2560 (2017)
  • Electronic Transactions Act B.E. 2544 (2001)
  • Cybersecurity Act B.E. 2562 (2019)
  • Personal Data Protection Act (PDPA) B.E. 2562 (2019)

Procedures

  1. Identification of Applicable Legislation – Identify all relevant legal requirements that impact the organization’s operations.
  2. Compliance with Intellectual Property Laws – Ensure proper usage of copyrighted and intellectual property assets.
  3. Protection of Organizational Records – Implement measures to protect critical organizational data.
  4. Retention of Computer Traffic Data – Retain log data as required by law.
  5. Personal Data Protection and Encryption – Protect personal data and implement encryption as appropriate.
  6. Prevention of Misuse of Information Processing Facilities – Prevent unauthorized or improper use of IT equipment and systems.
  7. Disciplinary Actions – In cases of non-compliance, disciplinary actions may include:
    1. Verbal warning
    2. Written warning
    3. Temporary suspension without pay
    4. Termination of employment
    5. Legal action under civil or criminal law

The company is not required to follow the above order of disciplinary actions and may impose penalties based on the severity of the violation.

2.1 Human Resource Security Policy

Objective

To establish processes for the recruitment, selection, training, and management of personnel throughout the duration of employment. This is to ensure personnel understand their responsibilities in maintaining the security of the organization’s information and information systems.

Procedures

  1. Pre-employment
    • The organization must define information security responsibilities and include them in job descriptions and qualification criteria for relevant positions.
    • The Human Resources and Organization Management Department must verify the qualifications of all candidates prior to employment. This includes conducting background checks, such as criminal records or other relevant verifications based on applicable conditions.
    • Terms and Conditions of Employment:
    All members of the board, executives, and newly hired employees must sign and acknowledge agreements related to the confidentiality of organizational information and any other relevant documents before being authorized to begin work or access the organization’s information systems.
  2. During employment
    • Information Security Education and Training:
      Provide regular training and awareness programs for employees on information and cyber security.
    • Disciplinary Process:
      Define disciplinary procedures to address violations of information security policies.
  3. Job transfer or termination
    • The responsible department must ensure that access rights to information systems are updated, revoked, canceled, or suspended in accordance with changes in employment status. All changes must be documented and traceable for audit and review purposes.

2.2 Computing Device and Teleworking Policy

Objective

To provide guidelines for controlling the use of computing devices and remote work (e.g., work from home) in accordance with the Information Technology and Cyber Security Policy.

Procedures

  1. Define procedures for using computing devices, mobile devices, or BYOD (Bring Your Own Device) for work purposes within the organization.
  2. Teleworking
    • When third-party service providers require temporary remote access to perform tasks, the responsible unit or personnel must enforce strict access control and monitor the use of systems in accordance with granted permissions. All external connections must be approved in advance and conducted through the organization’s designated Virtual Private Network (VPN) only.

3.1 Physical and Environmental Security Policy

Objective

To establish measures for controlling and preventing unauthorized access to buildings, premises, and information system operation areas, taking into account the importance of information system equipment and data, which are valuable assets requiring confidentiality. These measures apply to both users and external service providers.

Procedures

  1. Define standards for identifying areas that require information security protection (Secure Area).
  2. Establish controls for physical entry and exit (Physical Entry Controls).
  3. Define information security requirements for the organization’s offices, rooms, and facilities (Securing Offices, Rooms, and Facilities), including:
    • On-site operations within the organization’s premises.
    • Implement measures to control and monitor physical access into and out of secure areas.
    • Specification of areas requiring security controls (Working in Secure Areas).
    • Security measures for desks and protection of computer screens (Clear Desk and Clear Screen policy).
    • Security of equipment (Equipment Security).

4.1 Operations Management

Objective

To ensure that operations related to information processing equipment and systems are accurate, secure, and efficient. This section comprises three policies:

  • Security Monitoring Policy
  • Corporate Antivirus for Computer Policy
  • Backup Policy

4.1.1 Security Monitoring Policy

Objective

To monitor security-related activities.

Procedures

  1. Audit Logging — recording events related to information usage.
  2. Monitoring System Use — an essential process to maintain the security and performance of information systems, including tracking activities and system status to quickly detect and respond to issues.
  3. Protection of Log Information — to prevent unauthorized alteration or modification of log data.
  4. Administrator and Operator Logs — recording activities performed by system administrators and operators.
  5. Fault Logging — managing issues occurring in systems or software by recording error events, which helps analyze and resolve problems efficiently. Important information should be included in fault logs.
  6. Vulnerability Assessment — crucial for maintaining system and data security.
  7. Penetration Testing — should be conducted at least once a year and before testing new systems or significant system changes (as necessary).
  8. Clock Synchronization — ensuring that the time on all computers in the network is accurate and synchronized, which helps systems work correctly and coordinate with each other. It is also important for security, logging, and time-dependent system functions.

4.1.2 Corporate Antivirus for Computer Policy

Objective

This policy is established to ensure the security of the organization’s information systems, reducing risks to both devices and organizational databases. It helps maintain continuous operation without interruptions.

Procedures

  1. 1. Guidelines for using the Corporate Antivirus system — defining the use of information technology equipment and management of the organization's antivirus software to ensure effective protection and reduce risks from viruses and malware.

4.1.3 Backup Policy

Objective

To provide guidelines for data backup and prevent data loss.

Procedures

  1. Define backup procedures for the organization’s computers.
  2. Backup organizational data and information, ensuring backups are made before any system updates or changes. Backups should be performed at least once a week, and recovery testing should be conducted at least once a year, following documented backup and recovery testing procedures.
  3. All critical organizational data and information must have backup processing systems and backup network systems to avoid reliance on a single primary system. In case one system fails, the other can be used immediately to ensure the organization's operations continue without interruption.

4.2 Change Management Policy

Objective

To control changes in the organization’s information systems to ensure that any modifications, improvements, or repairs to information systems and services are properly managed throughout the change process, minimizing risks and potential damages caused by such changes.

Procedures

  1. Methods and processes must be defined to manage changes in systems, software, hardware, and organizational workflows to ensure orderly and controlled changes. Best practices for change management include:
    • The requester and relevant departments must follow the documented Change Management Procedure.
    • All changes must undergo a risk assessment considering all impact areas according to the organization’s risk assessment criteria, including security aspects. The type of change must be identified. A rollback plan must be defined in case the change fails. Initial testing should be conducted if necessary. Notify those who may be affected by the change. Approval must be obtained before implementing any change, all according to the documented Change Management Procedure.

4.3 Capacity Management Policy

Objective

To establish guidelines and procedures for managing the organization’s IT system resources to ensure that systems can efficiently support usage and appropriately meet business needs, providing sufficient capacity for current and future users.

Procedures

  1. Analyze resource usage trends to ensure efficient utilization and to forecast future demand.
  2. Assess the budget required for system upgrades, development, or other organizational needs.
  3. Plan and prepare a resource management plan and submit it to management for approval.
  4. Allocate resources appropriately according to the needs of each department or project to ensure efficient resource usage, forecasting future demand based on trend analysis and usage monitoring data.
  5. Plan for resource scaling or expansion as needed, such as adding servers or storage capacity.
  6. Perform regular maintenance on system resources, including updates, repairs, and replacement of worn components.
  7. Identify and manage risks related to resource management, such as hardware failures or performance issues.
  8. Follow the change management process when changes to system resources occur to ensure such changes do not impact operations.
  9. Prepare regular reports (monthly or quarterly) on resource usage, performance, and any issues encountered.
  10. Review resource management practices and update policies or processes based on reporting results and changing requirements.

4.4 Communication Management

Objective

To determine measures to control network management and data transmission through computer networks both inside and outside the organization to ensure security. It consists of

  • Network Access Control Policy
  • Internet Security Policy
  • E-mail Security Policy
  • Social Media
  • Information Transfer Policy

4.4.1 Network Access Control Policy

Objective

To maintain security and prevent unauthorized access to the network.

Procedures

  1. operational procedures and responsibilities.
  2. Network Management
    • Devices that connect to the organizational network for internal operations, such as routers and switches, must be connected only with authorization from the responsible department. Network administrators must have maintenance, and improvement plans to ensure continuous availability and readiness. Administrators must not use their privileges to access data transmitted or received through the network if they are not authorized to access such data.
    • Remote access devices used for system control, such as Virtual Private Networks (VPNs), must be regularly patched for vulnerabilities and configuration backups must be made each time the device is installed, changed, or periodically as specified. After testing remote access to the information system is completed, any test user accounts must be removed to prevent unauthorized use. Strong authentication mechanisms must be enforced to secure data transmission.
    • Procedures for logging and monitoring abnormalities within the network system must be established.
    • Use of network monitoring tools must be performed only by network administrators or under their supervision and must be approved by supervisors in advance. Usage should be limited to what is strictly necessary.
  3. Define processes for controlling network system access (Network Access Control).
  4. Implement user authentication for external users connecting to the network (User Authentication for External Connections).
  5. Identify equipment on the network by requiring authentication each time devices are used, including username and password verification. Access control must be enforced using the MAC addresses of authorized devices and restricting user access through approved IP addresses only.
  6. Network Segregation: Segment networks appropriately based on user groups and security control requirements to protect important systems and communications.
  7. Network Connection Control: Restrict user permissions for network connections, specify devices and tools used to control network access, and monitor connections regularly.
  8. Network Routing Control: Plan network structure and routing paths considering internal network design and external connections. Prevent disclosure of network plans (IP address schemes). Allow connections only through designated channels or restrict network service usage accordingly. Maintain backup routing configurations to prevent data loss and enable recovery in case of issues. Plan and test recovery procedures to restore routing after unexpected incidents.
  9. Control remote access to the network system.

4.4.2 Internet Security Policy

Objective

To establish standards for internet usage where users must comply, respect rights, be aware of issues arising from internet use, and follow system administrators’ rules to ensure secure and efficient operations.

Procedures

  1. Internet Usage
    • It is prohibited to use or distribute organizational network information for personal business purposes, to access inappropriate websites, or to share information that may harm the organization.
    • Users must not download software that violates intellectual property rights.
    • Users will be granted access to resources based on their duties to ensure network efficiency and data security.
    • Users are responsible for verifying the accuracy and reliability of information found on the internet before using it.
    • Users must never share their usernames or passwords to allow others to access their accounts. If issues arise, such as copyright infringement or illegal data collection, the account owner will be held responsible.
    • If users encounter inappropriate websites that threaten security, violate ethics, or could harm the organization, they must immediately stop interacting with such sites and notify the responsible department.
    • When using social media or web boards for work-related information exchange, users must not disclose confidential or sensitive organizational information. Comments made are considered personal opinions, not those of the organization.
    • Users must not post provocative, defamatory, or damaging remarks that could harm the organization’s reputation or damage relationships with customers and business partners.

4.4.3 E-mail Security Policy

Objective

To establish standards for the use of electronic mail (E-mail), ensuring users understand their duties and responsibilities in using E-mail to prevent unauthorized access or modification of E-mail messages, and to protect the organization's information and resources securely.

Procedures

  1. When accessing the E-mail system for the first time, users must immediately change their password. Passwords should not be saved or stored on computers or in easily visible places. Users must receive reminders to change their passwords at least every 90 days. Users are prohibited from using others’ E-mail addresses to read, receive, or send messages unless authorized by the E-mail owner. The E-mail owner is responsible for all activities conducted using their E-mail account.

4.4.4 Social Media

Objective

To provide guidelines for supervising the dissemination of information and access to the organization’s social media networks.

Procedures

  1. Social Media Usage
    • Content posted on Social Media must not infringe upon the intellectual property rights of others. When referencing supporting information, the source must be clearly cited.
    • Text, images, audio, video clips, or any actions posted on publicly accessible Social Media must be socially and legally responsible by the publisher.
    • The creation of Pages or Accounts as official channels for disseminating organizational information requires the list of Page Admins or Account owners to be reported to management or supervisors, depending on the case. Admins must relinquish control of such Pages or Accounts back to the organization when they leave their role or employment.
    • If any actions on Social Media are found to potentially cause damage or harm the organization’s reputation, the organization will pursue legal actions related to the offense and take disciplinary measures accordingly.

4.4.5 Information Transfer Policy

Objective

To ensure the security of information transferred within the organization and to external departments or third-party service providers through all types of communication channels.

Procedures

  1. Users must protect the transmission of sensitive information by using attachment files with encryption and coding techniques to safeguard confidential data against interception, copying, alteration, and destruction.
  2. Copier machines or printers must have password protection to prevent unauthorized access.
  3. There must be awareness regarding communication and information transfer methods, specifying how communication is conducted, and notifying both sender and receiver accordingly.
  4. Records of communication must be maintained for traceability and audit purposes. Agreements on information transfer must comply with relevant policies and laws.
  5. The importance of data must be identified according to documentation related to data classification and confidentiality levels.

4.5 System Acquisition, Development and Maintenance policy

Objective

To ensure information security is an integral component throughout the system development lifecycle, including requirements for systems that provide services via public networks.

Procedures

  1. Security Requirements of Information Systems: Protect system data and resources from unauthorized access, attacks, and other threats. Building secure systems requires careful risk assessment and management to ensure data integrity and system availability.
  2. Information related to information service transactions must be protected against incomplete data transmission, misrouting, unauthorized message alteration, unauthorized disclosure, and message replay, in accordance with the data classification documentation.
  3. Define security requirements for development and support processes.
  4. Control and manage test data during system testing.

4.6 Password Management Policy

Objective

To provide guidelines for users to securely manage passwords, preventing unauthorized access and security breaches to the organization’s systems and data.

Procedures

  1. Password Management
    Users of the information systems must create secure passwords following the organization’s password management policy.
  2. Password Creation
    • Do not use passwords containing more than three repeated or sequential characters (letters or numbers).
    • A strong password should be of minimum length (e.g., 8-12 characters or as specified by the administrator) and include uppercase letters, lowercase letters, numbers, and special symbols. Avoid easily guessable passwords.
    • Passwords must be changed regularly, for example every 90 days (3 months). Users with Face Scan-enabled devices may be exempt from mandatory password changes but must receive at least 7 days’ advance notification before password expiration.
    • Each user must be assigned a unique user account to access organizational systems. Access rights must strictly follow the “Need-to-Use” principle. Passwords must be changed upon first login and regularly thereafter. Passwords must not be stored in locations easily accessible or visible to others.
    • Passwords are confidential information, and it is the responsibility of each user to securely protect their password. Sharing user accounts or allowing others to use your account is strictly prohibited, including family members when working from home.
    • To reset a password, users must verify their identity and ownership of the user account. Relevant personnel have the right to request information and verify the user’s identity as appropriate.

4.7 Cryptography

Objective

To define guidelines for encrypting data to maintain confidentiality, authenticate users of information systems, and effectively prevent unauthorized data modification.

Procedures

  1. Establish cryptographic controls and select encryption standards appropriate to the risk levels associated with the data’s classification. If encryption is not possible, appropriate access controls must be enforced.
  2. Key Management must consider the type of data encrypted, ensuring it aligns with the data’s classification level and governance procedures.

4.8 Data Management Policy

Objective

To provide guidelines for managing the organization’s data efficiently and securely in compliance with legal requirements. This policy covers data classification, defining data ownership, retention periods or procedures for data deletion, and, for confidential or critical data, guidelines for data masking. When transferring data to other departments or external parties, data masking must be applied before transfer to ensure efficient, secure, and smooth data management within the organization. The policy includes:

  • Information Classification Policy
  • Data Masking
  • Media Handling Policy

4.8.1 Information Classification Policy

Objective

To establish principles and processes for classifying the confidentiality level of information within the organization, ensuring that data is protected according to its appropriate confidentiality level. Classification helps manage risks and prevent unauthorized access in alignment with the importance of the information to the organization.

Procedures

  1. Classification of Information
    • Define confidentiality levels by considering legal requirements, value, importance, and sensitivity to prevent unauthorized disclosure or modification. Follow supporting documents for data classification, such as confidential data, controlled data, and public data.
    • Confidentiality levels, storage, and data usage must be documented in writing and communicated to relevant personnel.
  2. Information Labeling
    • Confidentiality levels, storage, and data usage must be documented in writing and communicated to relevant personnel.
  3. Handling of Assets
    • Handling of information assets must follow the procedures defined in the data classification documentation.
    • Define appropriate retention periods for important or confidential data according to its usage. If data is no longer in use, data deletion or destruction of storage media must be performed, following the Media Handling Policy
  4. Set access rights based on the data confidentiality level. For example, access to highly confidential data should be restricted to designated positions only. Monitor and audit data access to ensure compliance with the classification policy.
  5. Provide training for employees regarding the data classification policy, classification procedures, and data handling methods according to assigned confidentiality levels or related documents.

4.8.2 Data Masking

Objective

To provide guidelines for masking or concealing sensitive or confidential data to prevent inappropriate disclosure. This involves masking or transforming sensitive data such as Personally Identifiable Information (PII) or data classified at a high confidentiality level to prevent unauthorized access. Masking is applied especially when data is accessed or used in risky environments. This reduces the risk when critical or confidential data must be disclosed and lowers the chance of misuse. This policy ensures that data remains useful while maintaining effective data security.

Procedures

When important or confidential data must be disclosed, whether for internal use (Internally Shared Data) or public disclosure, the following must be done:

  1. Clearly identify the purpose and the target users who will use the data.
  2. Specify the components of important or confidential data that require masking, consistent with the access rights of the users. Consider the risks and impacts on users or the organization if the data were disclosed or leaked.
  3. Define the methods or techniques for data masking appropriate for the purpose, such as encryption, substitution, or masking.
  4. Set access rights for masked data according to roles and necessity, e.g., restrict access to masked data only to authorized personnel.
  5. Monitor and audit access to masked data to ensure compliance with the policy and prevent unauthorized access.
  6. Store masked data securely, such as using access-controlled storage systems and encryption.
  7. Promote employee awareness of the importance of data masking and adherence to the policy. Review and update the policy at least once a year or when significant changes occur to ensure it remains suitable and compliant with business needs and legal requirements.

4.8.3 Media Handling Policy

Objective

To prevent unauthorized disclosure, alteration, transportation, deletion, or destruction of information assets stored on media.

Procedures

  1. Management of Removable Media
    • Removable media and portable computer devices such as thumb drives, external hard disks (HDDs), etc., that contain confidential organizational data must be carefully controlled.
    • All media must be stored securely in an environment that does not pose any risk to the media.
    • When storing important media, measures must be taken to prevent data leakage or disclosure.
    • Removable media must not be used for activities unrelated to the organization’s business.
    • Sensitive data or data classified as confidential in important systems must be encrypted when stored on removable media.
    • Responsible personnel must check all portable media and portable computer devices before connecting them to the organization’s systems.
    • Employees are prohibited from connecting personal removable media to any organization-owned computer, laptop, or IT equipment without permission. Exceptions are made only when the media contains data related to the organization’s operations or activities, in which case it must be inspected and authorized by the IT infrastructure and security department.
  2. Disposal of Media
    • Confidential data must be securely destroyed when no longer in use. Before removing media from the organization, ensure that the data cannot be recovered or restored.
  3. Security of System Documentation
    • Store system documentation securely according to the information classification guidelines.
    • Access to system documentation must be assigned to authorized personnel only, with approval from the system owner.
    • Do not store critical system documentation on public networks. If use of a public network is necessary, appropriate protective measures must be in place.
  4. Physical Media Transfer
    • Use trusted delivery methods or personnel with verified credentials, and implement controls to protect sensitive data from unauthorized disclosure or alteration, such as encryption according to the classification level.
    • Transfers should be conducted by the employee or authorized personnel with proper documentation and logging of receipt and delivery to allow traceability.
    • In some cases, splitting the media into multiple parts and sending via multiple routes may be used to mitigate risk.

Effective Date: From February 3, 2025, onwards