Cybersecurity and Data Privacy
SCG commitment towards a Cybersecurity and Data Privacy has been addressed in SCG Sustainable Development Framework in order to set standard and unify practices across all operations in SCG.
Information Security & Cybersecurity and Data Privacy Governance and Policy
SCG have board of directors and executive management who’s their direct working experience oversees the cybersecurity and data privacy strategy, working processes, control by incorporating into enterprise risk management together and indicate person’s membership in the committee responsible for the oversight as the following;
- SCG IT Governance Committee (ITG) to establish policies and regulations concerning the use of information and communication technology (SCG e-Policy) for all SCG employees in accordance with ISO/IEC27001 and monitor compliance to adhere to in a consistent manner. The ITG is chaired by Mr. Yuttana Jiamtragan who is Vice President-Corporate Administration, member of digital council committee, and SCG Executive Management team, has role and responsibility in overseeing the IT, cybersecurity, data privacy, startup, and digital innovation with his skill and expertise in IT and information security as well as digitalization. In 2021, the following additional actions were taken:
- Addition of three standards/procedures/practices: IoT security, practices of the use of social media applications, and online communication tools.
- Revision of two policies: the Mobile Device and BYOD Policy and the System Access Control Policy, which came into effect in 2020, were further revised to keep up with the COVID-19 situation and working from home.
- Cybersecurity Governance Committee oversee SCG’s information technology security practices and ensure that they are aligned with business directions and can effectively prevent business operations from cyber threats.
- Commitment to notify data subjects in a timely manner in case of policy changes or data breach
- Commitment to obtain user data through lawful and transparent means, with explicit consent of the data subject where required. Data subjects can access their accounts to erase, rectify, complete or amend personal information.
- Commitment to collect and process user data that is limited to the stated purpose
- Clear terms involving the collection, use, sharing and retention of user data including data transferred to third parties
- Commitment to require third parties with whom the data is shared to comply with the company’s policy
Regular employee awareness training and development on cybersecurity issues and data privacy management
SCG has expanded investments both domestically and abroad. A key factor in its success and sustainability is employees and supplier’s ethics and integrity. In order to create understanding and evaluation of ethics in employees at all levels and suppliers, SCG has conducted various activities as part of a Proactive and Preventative System comprised of the following:
- Regularly promotes awareness on use of technology including cybersecurity issue and data privacy management among employees and suppliers through various trainings and other activities such as organizing Cybersecurity Awareness Month to ensure employees have knowledge and understanding on the effective use of technology and to protect business from cyber threats. The Company also conducted a self-phishing email simulation drill to test employees’ awareness to enable the Company to learn about the training topics on cybersecurity that employees need better understanding of, allowing for improved communication to the target audience. A test on employee awareness and understanding about the SCG e-Policy is also organized on an annual basis.
- The training and testing on Ethics e-Testing and e-Policy e-Testing are conducted annually to instill knowledge and awareness in employees at all levels and ensure that they are able appropriately apply and put into practice SCG’s 4 Core Values, Code of Conduct, Bribery & Corruption, Anti-Corruption Policy, effective use of technology to protect business from cybersecurity threats, and the Personal Data Protection Act (PDPA).
The e-Policy training and testing focusing on key cybersecurity issues related to prevent IT system failures and major information security and cybersecurity incident.
The year 2021 marked the seventh consecutive year of SCG Ethics e-Testing and the fifth for e-Policy e-Testing, both of which all SCG personnel are required take, followed by an analysis of responses and clarification for thorough and accurate understanding among employees at all levels. The tests are reviewed every year to ensure they are up to date with potential risks. Additionally, all employees completed the Ethics e-Testing and e-Policy e-Testing, with a 100% pass rate. The answers were analyzed, and the key issues were identified and communicated to employees to foster a correct understanding.
All employees are mandatory required to acknowledge SCG code of conduct and SCG e-Policy and take Ethics & SCG e Policy e-Testing which consists of training module and test module on a yearly basis to ensure their acknowledgment, awareness, understanding, and proper application of the Company’s policies. For the test module, employees must pass all criteria of all chapters, it is mandatory to get score 100% for all employees Ethics & SCG e Policy e-Testing, which is part of the employee performance evaluation linking with Learning Management System (LMS) of Human Resource Management.
All employees in relevant positions must past the SCG e-Policy e-Testing (20 questions) and Ethics e-Testing as;
- Operator, and Supervisor 1 & 2 for Basic level (20 questions)
- Supervisor 3 & 4 for Apply level (10 questions)
- All Management level up for Advance level (10 questions)
Regular cybersecurity and privacy risk assessments
In today’s world, SCG conducts business operations that rely heavily on technology and the more complicated nature of cyber threats, SCG unavoidably faces growing cybersecurity and privacy risks.
Such challenges could result in tremendous and large-scale effects on the Company such as disrupted operation if the Company could not maintain cybersecurity of industrial control systems that rely on digital technology. Another notable effect could be loss of the Company’s critical information such as product development information, trade secrets, and privacy data of customers, business partners, and employees. These could ultimately tarnish the Company’s reputation and credibility. Other potential impacts also include financial damages from paying ransom for ransomware attacks, litigation and regulatory fines, or losing revenue or profit as a consequence of failing to maintain cybersecurity vigilance.
Cybersecurity and privacy risk mitigation has been integrated in enterprise risk management, comprising of risk or business opportunity identification, assessment and prioritization, response and mitigation, and monitoring and reporting and adhere to the principle of good corporate governance as follows:
- Installed Web Application Firewall to increase data security and reduce risks from cyber attacks.
- Assesses cyber risks of the computer system controlling the industrial production, service provision, and other work processes and prepares cybersecurity risk mitigation plan that covers key areas of SCG’s operations in Thailand and overseas by both the Company’s internal functions and third parties. Examples include separating networks of the industrial control system and other critical systems and establishing connection between the systems through landing zones. Other efforts include choosing the cloud services of various service providers, setting up Security Operation Center (SOC) for the industrial control system, implementing multi-factor authentication to manage access to the critical information of the organization, and planning installation of SOC for cloud computing.
- Developed Disaster Recovery Plan (DRP) to handle emergencies, enabling users to continue working through a backup site. The Cyber Incident Response Plan was also put into place and regularly drills are carried out to prevent business interruption from cyberattacks.
- Documents were compiled for various internal control and cybersecurity auditing guidelines such as the auditing guidelines for the main ERP system used by the Company, IoT security, web application security, cloud development, and data governance.
- An assessment of the information security-related internal control was conducted with reference to ISO27001 to review its adequacy and appropriateness for SCG’s business operations. Good practices were also recommended, while a Proactive and Preventive System was established to reduce risks in business operations.
- Audit operations were reviewed and adjusted in accordance with the COVID-19 situation and risk in the new normal era. Machine Learning (ML), Robotic Process Automation (RPA), and Data Analytics (DA) were utilized to improve the efficiency of risk analysis, and fieldworks were conducted only as necessary.
- IT audits were improved and divided into audits for IT systems, IT processes, and IT security. The audit processes were also designed to suit each aspect, thereby enhancing auditing efficiency.
- Appointed SCG Data Protection Officer and set up the Data Protection Office to monitor SCG business operations, provide recommendations according to related laws, establish SCG Personal Data Protection Policy, and implement data protection tools such as preparing relevant legal documents and implementing of privacy management software.