GGC has established a policy for information technology security to be used as a guideline for the development of information security management systems.

This policy outlines a process of controlling the security of information technology systems according to standard ISO 27001: Information Security Management and Control Objectives for Information and Related Technologies (COBIT). This covers the procedures regarding the use of information (Procedure) in order to manage operations for information and cyber securities, as well as to prevent and reduce risks and potential impacts.

Mitigation Actions for Cyber Threats and Information Leaks
Continuously review information technology security policies.
Rehearse plans for cyber-attack threats and information system recovery plans within the company. Cooperate with the GC Group when arranging the risk management system according to the ISO 27001 guidelines by reviewing and regularly assessing the effectiveness of the information technology security action plan.
Establish a Personal Data Protection Act’s working team responsible for defining plans and procedures, including the evaluation of GGC’s performance in accordance with the Personal Data Protection Act.
Continually raise awareness and prepare employees for cybersecurity threats by organizing training on the risks of cyber-attacks and information leaks, and improve knowledge of the Personal Data Protection Act, according to GGC’s operations manual.

Information Security and Cyber Security Process and Infrastructure

GGC has established an information security management system and asset security practices according to international standards and in compliance with cybersecurity practices. GGC also conducts annual inspections and reviews of the information and cyber infrastructure systems by external agencies. The past year’s review found that the process and infrastructure of GGC’s information and cyber systems meet international standards and do not have any defects.

In addition, the company conducts a vulnerability assessment (VA) on the computer system and the business continuity plan at least twice a year. In 2020, GGC had a Cyber Incident Response Tabletop Exercise to test the security system by simulating an external cyberattack to hack into the company's information system.

In addition, GGC inspects for internal and external computer system vulnerabilities every 6 months in order to prepare a plan for protection and remediation from threats. GGC’s vulnerability severity levels are categorized into three levels: High Severity, Medium Severity and Low Severity.