Information technology has been evolving, resulting in a proliferation of data usage and connectivity. These also resulted in greater exposure to more sophisticated attempts by cybercriminals to launch cyberattacks. In this regard, the threat to cyber security has influenced the relevant authorities to continuously enhance legislation on cyber security and personal data protection. AIS places high priority and is highly obliged in protecting customers’ information privacy, ensuring cyber security, and regulation compliance, which help reduce financial and reputation risks from losses and leaks of customers data and cyber-attack. At the same time, a thorough understanding of the trends, technology, and regulations also brings about new opportunities for AIS to enhance the value to and relationships with our customers while earning their trust through assured security.
HOW WE ADDRESS THE ISSUE
To demonstrate our commitment to protecting our customers’ data privacy and information security, we set the following goals toward the year 2022:
- Operate in adherence to applicable laws and regulations including the Cyber Security Act and Personal Data Protection Act
- Enhance cyber security process, technology and staff readiness for the protection of infrastructure, systems and new services
- Develop and improve technology, cyber security and personal data privacy policies and standards, including revamping CS Loxinfo Plc. or CSL directions for synchronicity with AIS, both in terms of its technological standards and legal developments
To ensure customer data protection, AIS set in place the following actions and procedures:
- Promote customer privacy protection Company-wide through building the awareness, education and implementation
- Perform a Data Protection Impact Assessment to identify and minimize the risks related to data protection in our services
- Restricted the access to sensitive information and deployed multiple data protection techniques to prevent customer information leaks.
For cyber security, AIS has the infrastructure, systems and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and related regulatory requirements.
AIS used the “NIST Cyber Security Framework” as a guideline for designing our cyber security strategies and processes, which include the following steps:
Source: National Institute of Standards and Technology
Regarding the cyberattack respond, protocol and escalation process, AIS applies the “NIST's Cyber Incident Response Framework”, into our day-to-day routine, which involves the following incident handling steps:
Source: Computer Security Incident Handling Guide by National Institute of Standards and Technology
AIS has obtained the following certifications and standards, which underline our commitment to data security in our services and customers:
In 2019, AIS has obtained the latest global Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1. and is considered to be the first Thai telecom operator to acquire such standard. The objective is to manage and reduce the risk of fraud related to credit cards including restrict access to customers’ sensitive information.
As a cloud and data center service provider, AIS has certified ISO27001 Information Security Management System (ISMS) since 2015 and CSA STAR (Cloud Security Alliance) Self-Assessment since 2016.
In addition, AIS staff involved in cyber security and data privacy related functions underwent training and acquired new certifications in ethical hacking and penetration testing, incident management and forensics, and cyber security management.
|Number of reported complaints during the year regarding breaches of customer privacy and losses of customer data|
|From outside parties||Cases||321||575||131||124|
|From regulatory bodies||Cases||11||15||47||47|
|Leaks, thefts, or losses of customers data||Cases||1||0||0||0|
|Number of government requests1||Cases||26,301||26,710||28,270||28,334|
1 The company provides customer data upon the request of the authorized and designated government agencies by virtue of laws which are the Court of Justice, Royal Thai Police, Anti-Money Laundering Office, etc.
Cyber Security Policy describes the company’s duties and responsibilities regarding information security.
NBTC Privacy Guideline describes how customer information is collected, stored, processed, and disclosed.