PTTEP strictly complies with Thailand Cybersecurity Act B.E. 2562. Cybersecurity guidelines have been in place, to prevent and tackle cyber threats as well as mitigate the impacts.
Presently, PTTEP bases its cybersecurity guidelines on the National Institute of Standards and Technology (NIST)'s standardized framework. Risk assessment has been conducted in line with ISO 27001:2013 with regards to emails and data center facility since 2014 and is also in the process of covering other applications / systems within 2020. PTTEP has continually invested in technology and obtained PTT Digital's services in preventing and mitigating cyber threats. PTTEP also established Security Operations Center (SOC) that completely connected Security Information and Event Management (SIEM) with the network firewalls across all petroleum development bases.
In 2021, PTTEP has implemented Multi-factor Authentication (MFA) to enhance the identity verification of the staff other than conventional username and password to support the company data and system access from anywhere and anytime as per PTTEP's direction of New Way of Work to promote Work-life Balance of its employee.
Furthermore, PTTEP also implemented Data Classification and Labelling with Microsoft Azure Information Protection (AIP) to support permission and sharing management of documents confidentiality.
PTTEP has delegated the oversight to the Risk Management Committee, which comprises 5 PTTEP directors including 4 independent directors, to oversee enterprise risk covering the Company's overall cybersecurity issues. In this regard, Mr. Pitipan Tepartimargorn, independent director and Chairman of the Risk Management Committee has related experience with previous position as Chairman of PTT ICT Solutions Company Limited (now PTT Digital Solutions Company Limited). Furthermore, PTTEP also appointed the Cybersecurity Incident Response Task Force chaired by Chief Information Security Officer (CISO), having Information Management Department and its working team be responsible for the outlining of directions, targets, strategies, policies and information technology standards. Their tasks include the supervision of the IT master plan and roadmap as well as IT risk management, ensuring risks are in line with the Company's risk appetite. They must also regularly report risk management performance to the Risk Management Committee and the Board of Directors, to ensure that, should there be an emergency, PTTEP would be able to take control of the situation and respond promptly.
2. Control Measures
PTTEP has implemented control measures for the information system, equipment security as well as data backup and recovery to ensure business continuity. The Company announced the information technology policy which must be honored by all functions in line with the corporate governance guidelines. PTTEP's past efforts related to technology were aimed at ensuring safety and flexibility: for example, joining PTT Group's working team set up under PTT Group Cybersecurity Governance & Assurance Project, to enhance the efficiency of PTT Group's cybersecurity measures; and the application of Microsoft Office 365 system to increase the Company's work efficiency as well as data security. Furthermore, PTTEP established information technology (IT) infrastructure control and a clear policy to boost IT system efficiency through digital technology. IT strategies are outlined accordingly to the framework of Control Objectives for Information and Related Technology (COBIT 5) and ISO 27001. Cloud Platform is being used for continued development of an information technology system on an agile structure which maintains all efficient control measures as demanded by the Company's security standards.
Additionally, PTTEP has imposed the Security Policy and kept information technology in control to maintain its security, prevent violations, and support data backup and recovery for business continuity. Details are as follows:
1. General control refers to control guidelines on IT-related work process and activities, IT-related business continuity plan and etc.
2. Personnel-level control refers to the determining of individual employees' access to data; cybersecurity drills; the development of Digital Security Awareness e-Learning; training entitled "Cybersecurity Act" and "Personal Data Protection Act" for directors, employees and other relevant system administrators and etc.
3. System-level control refers to record keeping of system usage per legal requirement; external penetration testing by experts to identify and address any gaps that may cause damages and can be improved; etc.