Information Technology is advancing at an unprecedented rate, revolutionizing both personal and corporate communication. This is not only accelerating online information exchanges and transactions across the globe, but also exposing service users to a higher risk of cybercrime. Customers are understandably concerned about the security of their data and systems. To cope with these challenges and opportunities, AIS has upgraded its IT systems and personnel to deal with a range of cyberthreats, to benefit users of AIS’ mobile networks and digital services, conducted alongside the protection and security of customers’ personal data according to their statutory rights.
Management Approach
AIS has determined policies to maintain cyber-security and protect personal data, to supervise processes and management systems for every function throughout the company. Regular internal inspections are conducted to be confident that management and best practice concerning personal data protection, and maintenance of cyber-security, are compliant with the company’s standards and frameworks.
Privacy Protection
Measures have been stipulated to protect privacy for customer data, which includes limiting access to sensitive data. AIS also incorporates the Privacy by Design and Privacy by Default principles into its services and products as necessary, setting specifications for the data flow process, as well as promoting awareness, knowledge and understanding on customer data protection to all personnel and partners. We also established a system and enhancement of processes to customer requests as follows:
For the management of data requests, the company provides customer data to government agencies in compliance with the law, and fairly in consideration of data subjects’ human rights as defined by the law. The Process for Evaluating and Responding to Law Enforcement or Government Data Requests is as follows:
Cybersecurity
For cyber security, AIS has the infrastructure, systems, and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and pertinent regulatory requirements.
NIST Cyber Security Framework
AIS uses the "NIST Cyber Security Framework" as a guideline for designing cyber security strategies and processes, which include the following steps:
Regarding the cyberattack response, protocol and escalation process, AIS applies "NIST's Cyber Incident Response Framework" into day-to-day routine, which involves the following incident handling steps:
AIS has won various certifications reflecting its determination to attain and uphold the highest personal data protection standards as follows:
Performance Table
Topic | Units | 2019 | 2020 | 2021 | 2022 |
---|---|---|---|---|---|
Personal data protection | |||||
Number of personal data breach and data loss complaints | |||||
Complaints from general persons or agencies 1
|
Number of cases | 124 | 560 | 7 | 7 |
Complaints from regulatory agencies
|
Number of cases | 47 | 23 | 20 | 11 |
Data leakage, theft, or loss | Number of cases | 0 | 0 | 0 | 2 |
Requests for customers’ personal data from public agencies with the power and duty 2 | Number of cases | 28,334 | 24,453 | 25,442 | 19,454 |
% of the total number of requests
|
% | - | 92 | 70 | 91.45 |
Network | |||||
Average frequency of network failure
|
Units | 0.05 | 0.07 | 0.18 | 0.07 |
Average length of network failure
|
Minutes | 12 | 39 | 54 | 38 |
Remark :
1 As the number and types of complaints received surged over the year 2022, only those determined to be well-founded were reported.
2 AIS provides customers’ personal data to the public agencies granted the authority by law, namely the Court of Justice, the Royal Thai Police Headquarters, and the Anti-Money Laundering Office.
2 AIS provides customers’ personal data to the public agencies granted the authority by law, namely the Court of Justice, the Royal Thai Police Headquarters, and the Anti-Money Laundering Office.
Related Document
Information concerning “Cybersecurity and Customer Privacy Protection” can be found in the 2022 Sustainability Report.