Cybersecurity
IMPORTANCE AND MISSION
PTTEP strictly complies with Thailand Cybersecurity Act B.E. 2562. Cybersecurity guidelines have been in place, to prevent and tackle cyber threats as well as mitigate the impacts. Presently, PTTEP bases its cybersecurity guidelines on the National Institute of Standards and Technology (NIST)'s standardized framework. Risk assessment has been conducted in line with ISO 27001:2013 with regards to emails and data center facility since 2014 and is also in the process of covering other applications / systems within 2020. PTTEP has continually invested in technology and obtained PTT Digital's services in preventing and mitigating cyber threats. PTTEP also established Security Operations Center (SOC) that completely connected Security Information and Event Management (SIEM) with the network firewalls across all petroleum development bases.
Since 2021, PTTEP has implemented Multi-factor Authentication (MFA) to enhance the identity verification of the staff other than conventional username and password to support the company data and system access from anywhere and anytime as per PTTEP’s direction of New Way of Work to promote Work-life Balance of its employee.
Furthermore, PTTEP also implemented Data Classification and Labelling with Microsoft Azure Information Protection (AIP) to support permission and sharing management of documents confidentiality.
PTTEP utilized the services of Mandiant Managed Defence, a global expert in cybersecurity, to strengthen the operations of the Security Operations Center (SOC). The Company also received a Certificate of Registration for Information Security Management System – ISO/IEC 27001:2022 for the scope: The information security management applied to PTTEP Data Center and supporting facility governed by PTTEP. The Certificate was effective on September 2, 2023.
GOALS
PTTEP aims to prevent and respond to various cybersecurity threats to minimize damage from cybersecurity incidents that may impact business operations while promoting organizational performance towards the following goals:
No loss from all cyber attacks
Test the IT BCM and incident response procedure > 2 times per year
All IT infrastructures are certified in accordance with international standards
MANAGEMENT APPROACH
Governance Structure
PTTEP has delegated the oversight to the Risk Management Committee to oversee enterprise risk and to the Audit Committee to review the efficiency and effectiveness of governance processes, internal controls, and risk management, covering the Company’s overall cybersecurity issues. In this regard, Mr. Thongthit Chayakula, independent director and member of the Audit Committee has related experience with current position as lecturer, Department of Surveying Engineering, Faculty of Engineering, Chulalongkorn University. Furthermore, PTTEP also appointed the Cybersecurity Incident Response Task Force chaired by Chief Information Security Officer (CISO), having Information Management Department and its working team be responsible for the outlining of directions, targets, strategies, policies and information technology standards. Their tasks include the supervision of the IT master plan and roadmap as well as IT risk management, ensuring risks are in line with the Company’s risk appetite. They must also regularly report risk management performance to the Risk Management Committee and the Board of Directors, to ensure that, should there be an emergency, PTTEP would be able to take control of the situation and respond promptly.
Control Measures
PTTEP has implemented control measures for the information system, equipment security as well as data backup and recovery to ensure business continuity. The Company announced the information technology policy which must be honored by all functions in line with the corporate governance guidelines. PTTEP's past efforts related to technology were aimed at ensuring safety and flexibility: for example, joining PTT Group's working team set up under PTT Group Cybersecurity Governance & Assurance Project, to enhance the efficiency of PTT Group's cybersecurity measures; and the application of Microsoft Office 365 system to increase the Company's work efficiency as well as data security. Furthermore, PTTEP established information technology (IT) infrastructure control and a clear policy to boost IT system efficiency through digital technology. IT strategies are outlined accordingly to the framework of Control Objectives for Information and Related Technology (COBIT 5) and ISO 27001. Cloud Platform is being used for continued development of an information technology system on an agile structure which maintains all efficient control measures as demanded by the Company's security standards.
Additionally, PTTEP has imposed the Security Policy and kept information technology in control to maintain its security, prevent violations, and support data backup and recovery for business continuity. Details are as follows:
General control
refers to control guidelines on IT-related work process and activities, IT-related business continuity plan and etc.
Personnel-level control
refers to the determining of individual employees' access to data; cybersecurity drills; the development of Digital Security Awareness e-Learning; training entitled "Cybersecurity Act" and "Personal Data Protection Act" for directors, employees and other relevant system administrators and etc.
System-level control
refers to record keeping of system usage per legal requirement; external penetration testing by experts to identify and address any gaps that may cause damages and can be improved; etc.