ASPIRATION

Ensure effective data privacy and cyber security to enhance customer value while ensuring customer trust

Information technology has been evolving, resulting in a proliferation of data usage and connectivity. These also resulted in greater exposure to more sophisticated attempts by cybercriminals to launch cyberattacks. In this regard, the threat to cyber security has influenced the relevant authorities to continuously enhance legislation on cyber security and personal data protection. AIS places high priority and is highly obliged in protecting customers’ information privacy, ensuring cyber security, and regulation compliance, which help reduce financial and reputation risks from losses and leaks of customers data and cyber-attack. At the same time, a thorough understanding of the trends, technology, and regulations also brings about new opportunities for AIS to enhance the value to and relationships with our customers while earning their trust through assured security.

HOW WE ADDRESS THE ISSUE

To ensure transparency, privacy and the protection of all customer information as well as cyber security, we have put in place the governance, policies and procedures implemented across the company. The data privacy and cyber security are built into the Company’s enterprise-wide risk management and oversaw by Audit and Risk Committee, through Cyber Security Committee, focusing on risk, policies, and strategy relates to cyber security and data privacy. Our Privacy policy and Cyber security policy are applied across the entire organization including all business units as well as the external parties to undertake their duties in accordance with such policies. Internal control system and audit for customer privacy protection and cyber security are conducted on regular basis to ensure company-wide compliance with the policies, standards, framework, and to ensure accurate and appropriate practices.

To demonstrate our commitment to protecting our customers’ data privacy and information security, we set the following goals toward the year 2022:

  • Operate in adherence to applicable laws and regulations including the Cyber Security Act and Personal Data Protection Act
  • Enhance cyber security process, technology and staff readiness for the protection of infrastructure, systems and new services
  • Develop and improve technology, cyber security and personal data privacy policies and standards, including revamping CS Loxinfo Plc. or CSL directions for synchronicity with AIS, both in terms of its technological standards and legal developments

To ensure customer data protection, AIS set in place the following actions and procedures:

  • Promote customer privacy protection Company-wide through building the awareness, education and implementation
  • Perform a Data Protection Impact Assessment to identify and minimize the risks related to data protection in our services
  • Restricted the access to sensitive information and deployed multiple data protection techniques to prevent customer information leaks.

For cyber security, AIS has the infrastructure, systems and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and related regulatory requirements.

AIS used the “NIST Cyber Security Framework” as a guideline for designing our cyber security strategies and processes, which include the following steps:

Source: National Institute of Standards and Technology

Regarding the cyberattack respond, protocol and escalation process, AIS applies the “NIST's Cyber Incident Response Framework”, into our day-to-day routine, which involves the following incident handling steps:

Source: Computer Security Incident Handling Guide by National Institute of Standards and Technology

OUR ACTIONS

AIS has obtained the following certifications and standards, which underline our commitment to data security in our services and customers:

In 2019, AIS has obtained the latest global Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1. and is considered to be the first Thai telecom operator to acquire such standard. The objective is to manage and reduce the risk of fraud related to credit cards including restrict access to customers’ sensitive information.

As a cloud and data center service provider, AIS has certified ISO27001 Information Security Management System (ISMS) since 2015 and CSA STAR (Cloud Security Alliance) Self-Assessment since 2016.

In addition, AIS staff involved in cyber security and data privacy related functions underwent training and acquired new certifications in ethical hacking and penetration testing, incident management and forensics, and cyber security management.

Our Performance

units 2016 2017 2018 2019
Number of reported complaints during the year regarding breaches of customer privacy and losses of customer data
From outside parties Cases 321 575 131 124
From regulatory bodies Cases 11 15 47 47
Leaks, thefts, or losses of customers data Cases 1 0 0 0
Number of government requests1 Cases 26,301 26,710 28,270 28,334

1 The company provides customer data upon the request of the authorized and designated government agencies by virtue of laws which are the Court of Justice, Royal Thai Police, Anti-Money Laundering Office, etc.

RELATED POLICIES

Cyber Security Policy describes the company’s duties and responsibilities regarding information security.

Privacy Policy provides understanding for customers on the customer data privacy practices, e.g. purpose of collecting and using data.

NBTC Privacy Guideline describes how customer information is collected, stored, processed, and disclosed.

Customers with questions and concerns related to IT security and Data privacy can contact us via our Complaint Center at

Telephone : 08-0000-9263

Email : complaint_center@ais.co.th

AIS Sustainability Report