IRPC’s approach to digital transformation is guided by the organization’s Digital Framework, which focuses on two key areas: management of Cybersecurity to strengthen defense against cyberattacks and ensure the company can operate safely, and utilization of Data Analytics to develop and improve the efficiency of data analysis and decision-making by employees at all levels to generate more revenue for the company.
Cybersecurity Governance and Policy
The Company places great importance on maintaining cybersecurity to reduce risks arising from cybercrime, cyberattacks, data breaches, and various threats that may affect the provision of computer systems, internet, communications, computer data, and IT operations. The Company ensures the ability to prevent, respond to, and resolve cyber threats promptly and effectively, thereby building trust and confidence in its operations.
Cybersecurity is central to IRPC’s digital transformation efforts. The Information Technology Management Policy has been in place since 2019 to ensure comprehensive cybersecurity management. The policy outlines key management approaches, including tools, policies, security concepts, security safeguards, and technologies that protect the cyber environment, the organization, and user assets. It is based on the fundamental principles of data confidentiality, data integrity, and data availability.
The assessment of cybersecurity risks is managed by the Risk Management Committee, led by the Director of Risk Management Committee and the Senior Executive Vice President for Corporate Organization Effectiveness and Digital. However, the IT Management Policy mandates that all employees are accountable for cybersecurity management, requiring them to follow the escalation process and report any suspicious activities, including SAP system malfunctions, phishing emails, or hacking attempts, to their supervisors or the IT HELPDESK. Additionally, Information Security/Cyber Security performance is evaluated as part of employee performance assessments, with established disciplinary measures for any misconduct. Cybersecurity is also a key performance indicator (KPI) for IT employees to ensure effective mitigation of cyber threats.
Cybersecurity Management and Process
In the implementation of our IT Management Policy, IRPC adheres to cybersecurity practices aligned with the ISO 27001 standard for cybersecurity management systems in combination with the NIST Cybersecurity Framework (US National Institute of Standards and Technology), which consists of 5 core functions:
- Identify: Enhance understanding within the organization to manage cybersecurity risks affecting systems, assets, data, and capabilities.
- Protect: Develop and implement safeguards to ensure the continuous delivery of critical infrastructure services.
- Detect: Implement activities to identify cybersecurity incidents promptly.
- Respond: Establish actions to address detected cybersecurity incidents effectively.
- Recover: Create contingency plans and recovery activities to ensure the restoration of capabilities or services compromised by cybersecurity incidents.
IRPC has further solidified these practices by creating a Cybersecurity Roadmap, developed based on key components of the NIST Cybersecurity Framework. This roadmap outlines cybersecurity work plans for the company from 2021 to 2025, emphasizing the application of modern technologies to upgrade our cybersecurity operations. For example, the introduction of Operational Technology (OT), an innovative technology deployed to protect and secure the company’s operational processes. IRPC is the first company in the PTT Group to implement OT to safeguard against cyberattacks. This technology enables the detection and management of industrial processes, assets, and equipment, enhancing overall security.
The success of IRPC’s cybersecurity management is driven by three key factors that form the foundation of our comprehensive approach to mitigating cyber threats:
