Develop a reliable system for cybersecurity and customer privacy protection.
Information technology is progressing at a rapid pace in the modern world with both personal and corporate communication methods changing. Informational transactions online have increased greatly and take place constantly across the globe. As a result, users are now at a higher risk of cybercrime and the matters of cyber security and personal data protection have become an important issue among administrative agencies worldwide.
AIS, as a digital service provider, manages massive amounts of data, both from its operations and from its customers, and is compelled to work in adherence to laws to protect against the leakage of personal data as well as to reduce risks to its finances and reputation. Moreover, AIS sees an opportunity in creating and developing complete cyber security services, which would address its operational requirements and enhance its capability to service clients.
HOW WE ADDRESS THE ISSUE
AIS manages and implements policies, procedures, and administrative systems for all offices corporate-wide to secure trust from its customers that it operates with transparency in its information and personal data protection and includes that trust in its risk management handled by the Audit and Risk Management Committee. AIS also enforces cyber security policies and data privacy policies for all its offices, extending to related external organizations. The Company carries out regular systematic internal audits to ensure its management of data privacy and cyber security and related operations adhere to its policies, standards, and frameworks.
To demonstrate our commitment to protecting our customers’ data privacy and information security, we set the following goals toward the year 2024:
- Operate in adherence to applicable laws and regulations including the Cyber Security Act and Personal Data Protection Act
- Continually enhance cyber security capabilities both in terms of technology and personnel readiness to protect basic infrastructure, systems and new services.
- Enhance cyber security efficacy and capability and personal data protection using Machine Learning and Artificial Intelligence to augment monitoring, analysis and threat assessment, use Automation to speed up and streamline processes.
- Become a leading Cyber Security Operation Center (CSOC) for corporate clients. Enhance capabilities in providing the service and further develop consulting services for data protection.
The actions undertaken to ensure customer data protection range from formulation of measures for customer data privacy protection to Limiting access to sensitive information. AIS also incorporates the Privacy by Design and Privacy by Default principles into its services and products as necessary, setting specifications for the data flow process, as well as promoting awareness, knowledge and understanding on customer data protection to all personnel and partners. We also establish a system and enhancement of processes to customer requests as of following;
For the data request management, the company provides customer data to government agencies in compliance with the law and fairness with consideration towards the human rights of data subjects within legal parameters. Process for Evaluating and Responding to Law Enforcement or Government Data Requests is as follows:
For cyber security, AIS has the infrastructure, systems and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and related regulatory requirements.
AIS used the "NIST Cyber Security Framework" as a guideline for designing our cyber security strategies and processes, which include the following steps:
Source: National Institute of Standards and Technology
Regarding the cyberattack respond, protocol and escalation process, AIS applies the "NIST's Cyber Incident Response Framework", into our day-to-day routine, which involves the following incident handling steps:
Source: Computer Security Incident Handling Guide by National Institute of Standards and Technology
AIS has collaborated with various organizations and obtained the following certifications and standards, which underline our commitment to data security in our services and customers:
Coordination with regulators and IT infrastructure agencie AIS signed a Memorandum of Understanding (MoU) to jointly study and establish the Thai Telecommunication Computer Emergency Response Team (TTC CERT), which is aimed at supporting coordination, information sharing and supervising and managing cyber threat events between information administration and infrastructure agencies in accordance with the Cyber Security Act.
- ISO27001 Information Security Management System (ISMS) since 2015 and further expanded the scope, covering CSOC as a service since 2020
- CSA STAR (Cloud Security Alliance) Self-Assessment since 2016
- PCI DSS (Payment Card Industry Data Security Standard) since 2017, which covers merchants and will expand to payment service providers
Technology Development and Process Improvement
- Process improvement. We applied the Microsoft Office 365 cybersecurity tool and elevated the security of the information system from external access. Automation and Response solution in threat detection and combat processes are also applied for responding to new forms of cyberattacks.
- Cybersecurity and data protection reinforcement. AIS has applied cutting-edge technology and upgraded the systems by applying AI and machine learning algorithms to proactively and accurately detect advanced persistent threats.
- The 24 x 7 cyber security operation center (CSOC). AIS in 2021 expanded the center’s services to monitoring against threats to the systems and information technology of its corporate clients. Towards elevating its information protection management systems to meet international standards, the company expanded the boundaries of its ISO 27001 certification to encompass services by the CSOC.
In addition, AIS staff involved in cyber security and data privacy related functions underwent training and acquired new certifications in ethical hacking and penetration testing, incident management and forensics, and cyber security management.
|Personal data protection||Number of personal data breach and data loss complaints|
|Complaints from general persons or agencies1||Number of cases||131||124||560||7|
|Complaints from regulatory bodies||Number of cases||47||47||23||20|
|Number of data breach, leakage, theft, or loss||Number of cases||0||0||0||0|
|Requests for customers' personal data from public agencies with the power and duty 2||Number of cases||28,270||28,334||24,453||25,442|
|% of the total number of requests||%||-||-||92%||70%|
1 In 2021, information about number of complaints can be classified at more granular level. Therefore, only substantiated complaints are reported in 2021.
2 AIS provides customers’ personal data to the public agencies granted the authority by law, such as the Court of Justice, the Royal Thai Police Headquarters, and the Anti-Money Laundering Office.