Management Approach

The company recognizes the importance of protecting privacy and data security and has established a "Policy on Governance and Management of Information Technology," a "Personal Data Protection Policy," and a manual for the management of personal data protection. These guidelines are intended for directors, executives, and employees at all levels to ensure proper handling, access, and use of data, especially sensitive information pertaining to the company or stakeholders, in accordance with the Cybersecurity Act B.E. 2562 and the Personal Data Protection Act B.E. 2562. The company ensures that its privacy and data security management covers personal data and business secrets related to employees, customers, suppliers, job applicants, visitors, and other relevant stakeholders. This scope extends to critical information systems, including office networks, factory systems, ERP systems, email, endpoint devices, and data stored or processed via relevant third-party service providers.

The company maintains an IT governance and cybersecurity framework aligned with the ISO/IEC 27001 international standard. The Information Technology Department is responsible for overseeing, controlling, managing, and monitoring cybersecurity performance, as well as continuously assessing risks related to data privacy and security. These issues are fully integrated into the Enterprise Risk Management (ERM) process to ensure systematic surveillance and mitigation. Furthermore, the IT Department reports progress, risk status, significant incidents, system test results, and improvement plan updates to the Chief Executive Officer (CEO) on a monthly basis, and subsequently presents these reports to the Executive Committee and the Risk Management Committee.

For personal data security governance, the company has established a Personal Data Protection Committee, chaired by the Chief Executive Officer. This committee is responsible for setting measures for the security of personal data and practices related to personal data protection for company employees and relevant stakeholders, including communication and oversight to ensure compliance with established goals.

For more information about the Policy on Governance and Management of Information Technology, please visit www.nerubber.com or scan the QR Code.
For more information about the Personal Data Protection Policy, please visit www.nerubber.com or scan the QR Code.
Data Security Strategy

The company has established a strategy to control the risks of data leakage and cyberattacks, focusing on reducing the likelihood of occurrences and minimizing the severity of impacts as follows:

Cyberattack Prevention

The company identifies and assesses risks related to cybersecurity to establish appropriate risk management measures, such as access control management, data encryption, multifactor authentication (MFA), and the installation of antivirus software (endpoints) to protect against cyberattacks on all computers and electronic devices within the organization. Additionally, the company conducts regular data backups and processes to check the readiness of backup data every quarter to prepare for potential cyberattacks or threats from malicious individuals, as cyberattacks can disrupt operations. To further ensure readiness, the company has developed a Business Continuity Plan (BCP) and a Recovery Plan to enhance preparedness.

Moreover, the company has implemented an information security management system based on international standards referencing ISO/IEC 27001 and the NIST Security Framework from the National Institute of Standards and Technology (NIST). The company continuously develops its infrastructure and cybersecurity systems while monitoring and surveilling emerging threats resulting from the rapid evolution of technology, both in the office and factory systems. This proactive approach allows for preventive planning against potential attacks. The company also regularly tests its systems to respond to cyber threats and conducts drills for recovering information systems.

Additionally, raising cybersecurity awareness among executives and employees is essential to keeping up with the evolving situation and new attack methods, as data may leak due to employee operations or a lack of awareness of threats. Therefore, the company provides ongoing training on the nature of attacks, operational practices, preventive measures, and relevant information technology laws to instill a sense of caution in employees regarding the use of equipment and information technology while recognizing the risks and potential impacts.

Data Management and Access Control

The company has established measures to ensure the security of personal data in accordance with legal requirements and aligned with international operational standards. A Data Protection Officer (DPO) has been appointed to play a crucial role in overseeing and monitoring activities related to personal data within the organization, ensuring compliance with the Personal Data Protection Act. The DPO also provides guidance, supervises, and coordinates both internally and externally to ensure that personal data management is conducted in accordance with the Personal Data Protection Act (PDPA), while promoting appropriate privacy protection and data security.

The company has established a systematic data management process, covering data classification, defining access rights based on roles and the principle of 'need-to-know,' periodic access reviews, and data retention and destruction according to specified periods. Furthermore, the company conducts risk assessments for new systems and third-party service providers involved in data processing. Additionally, an incident response process has been established, including root cause investigation and the implementation of corrective and preventive actions (CAPA) to prevent recurrence. These measures are designed to support data protection and mitigate the risks of data breaches or unauthorized access, with key operational guidelines as follows:

Data Breach Complaint Management

The company has established channels for stakeholders to report incidents of confidential or personal data breaches. There is a process in place for investigating the facts of these reports. If a complaint involves personal data, the Data Protection Officer will assess the situation and report to management accordingly.

Complaints Channels
Postal mail:
Human Resources Department North East Rubber Public Company Limited
398 Moo.4 Kok Ma Sub-district, Prakhonchai District, Buriram 31140
Tel
  • 044- 666-928
  • 044-666-929
Information Security

The main goals and notable outcomes of the initiatives focused on Information security are summarized in the table below.

Long-term Goals
2030
2025
Goals
2025
Performance
Number of complaints regarding breaches of personal data and business confidentiality 0 0 0
Incidents resulting in damage from cyberattacks 0 0 0
*Percentage of supervisory-level employees who completed data security training 100% 100% 100%
*Percentage of operational-level employees who completed data security training 100% 100% 100%

* Only supervisory-level and operational-level employees are authorized to use the company's information systems.

Related Policies
Information Technology Governance and Management Policy
Privacy Policy
Personal Data Protection Management System Manual