Management Approach

The company recognizes the importance of protecting privacy and data security and has established a "Policy on Governance and Management of Information Technology," a "Personal Data Protection Policy," and a manual for the management of personal data protection. These guidelines are intended for directors, executives, and employees at all levels to ensure proper handling, access, and use of data, especially sensitive information pertaining to the company or stakeholders, in accordance with the Cybersecurity Act B.E. 2562 and the Personal Data Protection Act B.E. 2562.

The company has implemented an information technology and cyber security governance structure that complies with international standards, specifically ISO/IEC 27001. The IT department is responsible for overseeing, controlling, and managing operations, as well as monitoring performance. They report progress and cyber security outcomes to the Chief Executive Officer on a monthly basis before presenting to the Board of Directors and the Risk Management Committee.

For personal data security governance, the company has established a Personal Data Protection Committee, chaired by the Chief Executive Officer. This committee is responsible for setting measures for the security of personal data and practices related to personal data protection for company employees and relevant stakeholders, including communication and oversight to ensure compliance with established goals.

Data Security Strategy

The company has established a strategy to control the risks of data leakage and cyberattacks, focusing on reducing the likelihood of occurrences and minimizing the severity of impacts as follows:

Cyberattack Prevention

The company identifies and assesses risks related to cybersecurity to establish appropriate risk management measures, such as access control management, data encryption, multifactor authentication (MFA), and the installation of antivirus software (endpoints) to protect against cyberattacks on all computers and electronic devices within the organization. Additionally, the company conducts regular data backups and processes to check the readiness of backup data every quarter to prepare for potential cyberattacks or threats from malicious individuals, as cyberattacks can disrupt operations. To further ensure readiness, the company has developed a Business Continuity Plan (BCP) and a Recovery Plan to enhance preparedness.

Moreover, the company has implemented an information security management system based on international standards referencing ISO/IEC 27001 and the NIST Security Framework from the National Institute of Standards and Technology (NIST). The company continuously develops its infrastructure and cybersecurity systems while monitoring and surveilling emerging threats resulting from the rapid evolution of technology, both in the office and factory systems. This proactive approach allows for preventive planning against potential attacks. The company also regularly tests its systems to respond to cyber threats and conducts drills for recovering information systems.

Additionally, raising cybersecurity awareness among executives and employees is essential to keeping up with the evolving situation and new attack methods, as data may leak due to employee operations or a lack of awareness of threats. Therefore, the company provides ongoing training on the nature of attacks, operational practices, preventive measures, and relevant information technology laws to instill a sense of caution in employees regarding the use of equipment and information technology while recognizing the risks and potential impacts.

Data Management and Access Control

The company has established measures to ensure the security of personal data in accordance with legal requirements and aligned with international operational standards. A Data Protection Officer (DPO) has been appointed to play a crucial role in overseeing and monitoring activities related to personal data within the organization, ensuring compliance with the Personal Data Protection Act. The DPO also provides guidance, supervises, and coordinates both internally and externally to ensure that personal data management is conducted correctly. In addition to implementing modern technologies to protect data from cyberattacks or unauthorized intrusions, the company has established a system for managing important data and documents, as well as controlling access to information within the organization to maintain the highest level of data security and privacy.

Data Breach Complaint Management

The company has established channels for stakeholders to report incidents of confidential or personal data breaches. There is a process in place for investigating the facts of these reports. If a complaint involves personal data, the Data Protection Officer will assess the situation and report to management accordingly.

Information Security

The main goals and notable outcomes of the initiatives focused on Information security are summarized in the table below.