ASPIRATION

Ensure effective data privacy and cyber security to enhance customer value while ensuring customer trust

Information technology has been evolving, resulting in a proliferation of data usage and connectivity. These also resulted in greater exposure to more sophisticated attempts by cybercriminals to launch cyberattacks. In this regard, the threat to cyber security has influenced the relevant authorities to continuously enhance legislation on cyber security and personal data protection. AIS places high priority and is highly obliged in protecting customers’ information privacy, ensuring cyber security, and regulation compliance, which help reduce financial and reputation risks from losses and leaks of customers data and cyber-attack. At the same time, a thorough understanding of the trends, technology, and regulations also brings about new opportunities for AIS to enhance the value to and relationships with our customers while earning their trust through assured security.

HOW WE ADDRESS THE ISSUE

To demonstrate our commitment to protecting our customers’ data privacy and information security, we set the following goals:

  • Comply with cyber security-related laws and regulations, new technology-adopted standards and privacy regulations toward the 2021 target
  • Enhance cyber security protection and visibility to protect infrastructure, system and new related services toward the 2021 target

To ensure customer data protection, AIS set in place the following actions and procedures:

  • Promote customer privacy protection Company-wide through building the awareness, education and implementation
  • Perform a Data Protection Impact Assessment to identify and minimize the risks related to data protection in our services
  • Restricted the access to sensitive information and deployed multiple data protection techniques to prevent customer information leaks.

For cyber security, AIS has the infrastructure, systems and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and related regulatory requirements.

AIS used the “NIST Cyber Security Framework” as a guideline for designing our cyber security strategies and processes, which include the following steps:

Source: National Institute of Standards and Technology

Regarding the cyberattack respond, protocol and escalation process, AIS applies the “NIST's Cyber Incident Response Framework”, into our day-to-day routine, which involves the following incident handling steps:

Source: Computer Security Incident Handling Guide by National Institute of Standards and Technology

OUR ACTIONS

AIS has obtained the following certifications and standards, which underline our commitment to data security in our services and customers:

In 2019, AIS has obtained the latest global Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1. and is considered to be the first Thai telecom operator to acquire such standard. The objective is to manage and reduce the risk of fraud related to credit cards including restrict access to customers’ sensitive information.

As a cloud and data center service provider, AIS has certified ISO27001 Information Security Management System (ISMS) since 2015 and CSA STAR (Cloud Security Alliance) Self-Assessment since 2016.

In addition, AIS staff involved in cyber security and data privacy related functions underwent training and acquired new certifications in ethical hacking and penetration testing, incident management and forensics, and cyber security management.

Our Performance

units 2015 2016 2017 2018
Number of reported complaints during the year regarding breaches of customer privacy and losses of customer data
From outside parties Cases 271 321 575 131
From regulatory bodies Cases 13 11 15 47
Leaks, thefts, or losses of customers data Cases 0 1 0 0
Number of government requests1 Cases 26,022 26,301 26,710 28,270

1 The company provides customer data upon the request of the authorized and designated government agencies by virtue of laws which are the Court of Justice, Royal Thai Police, Anti-Money Laundering Office, etc.

RELATED POLICIES

Our Customer Data Privacy Protection Policy provides understanding for customers on the customer data privacy practices, e.g. purpose of collecting and using data.

NBTC Privacy Guideline describes how customer information is collected, stored, processed, and disclosed.

Information Security Policy describes the company’s duties and responsibilities regarding information security.

Customers with questions and concerns related to IT security and Data privacy can contact us via our Complaint Center at

Telephone : 08-0000-9263

Email : complaint_center@ais.co.th

AIS Sustainability Report