Good Corporate Governance
Information Security Policy
1. General Requirement
Bangkok Life Assurance Public Company Limited (“the Company”) has established the Information Security Policy that covers information technology security and cyber security in alignment with its use of information technology in business operations while maintaining confidentiality, integrity, and availability of the systems and information.
1.1 Purpose
This policy is established to ensure risk assessment and management for the Company’s information systems so that risks remain within the acceptable appetites, to maintain appropriate internal control, security, accuracy, and reliability, as well as to ensure appropriate safeguarding of the Company’s data and information assets in line with the applicable information technology requirements, rules, regulations, laws, international standards and orders given by business regulatory agencies.
1.2 Scope
Personnel of Bangkok Life Assurance Public Company Limited and its subsidiary must study, understand, and strictly adhere to this Information Security Policy.
1.3 Effective Date
This policy shall be effective from the date of approval by the Board of Directors.
1.4 Review Frequency and Revision
This policy must be reviewed annually, or when a significant change arises.
Any significant revisions, review, or renewal of this policy are subject to approval by the Board of Directors. Meanwhile, insignificant revisions are subject to approval by the Management Committee (MC) and/or relevant subcommittees before being submitted to the Board of Directors for acknowledgement.
1.5 Responsible Function
The Information Technology Division is the responsible function of this policy.
2. Main Requirement
2.1 Definition
| 2.1.1 | “The Company” means Bangkok Life Assurance Public Company Limited. |
| 2.1.2 | “Subsidiary” means companies in which the Company holds shares directly or indirectly of more than 50%. |
| 2.1.3 | “Information Technology” means data processing systems or processes using computer technology to systematically manage data in order to obtain information for effective business support. |
| 2.1.4 | “Information Technology Security” means the protection of information technology and information assets from unauthorized access, use, disclosure, obstruction, alteration, modification, deletion, damage, destruction, or knowledge by maintaining confidentiality, integrity and availability of the information technology and information assets as well as their other qualities, including authenticity, accountability, non-repudiation, reliability and responsiveness to threats and prompt information technology recovery without any business disruptions (resilience). |
| 2.1.5 | “Cyber Security” means any measures or actions established to prevent, cope with, and mitigate risks arising from both internal and external cyber threats that may affect the stability of the information technology systems. |
| 2.1.6 | “Cyber Threat” means any unauthorized acts or operations involving the use of a computer, computer system or unwanted program with the intention to harm and compromise the operation of the computer system, computer data, or other related data. |
| 2.1.7 | “Malicious Software” means any programs designed to generate undesirable results for a user or system by attacking the system, damaging the system as well as stealing data. |
| 2.1.8 | “Antivirus Software” means any programs designed to detect, prevent, and eliminate various forms of malicious software or computer threats, including viruses, worms, trojans, spyware, adware, and other types of threatening software. |
2.2 Requirement
| 2.2.1 | Establish an appropriate and concise information technology security practice framework which also applies to outsourced service providers. |
| 2.2.2 | Establish information technology security measures to maintain confidentiality, integrity, and availability of the Company’s internal information systems, as well as business continuity. |
| 2.2.3 | Establish management and classification of information assets as well as confidentiality level and measures to prevent unauthorized access of systems and information in order to prevent data breach or misuse of position. |
| 2.2.4 | Establish measures for maintaining physical and environmental security, measures for user and system administrator control, preventive and security measures for information technology operations as well as guidelines for governing cyber risk and cyber security. |
| 2.2.5 | Establish information communication security and data encryption measures to control the acts of receiving, sending, or exchanging information, as well as best practice for procuring, developing, and maintaining information technology. |
| 2.2.6 | Establish measures to prevent malicious software, information technology threats, and cyber threats, ensure anti-virus program management and technical vulnerability management, or conduct testing on the information technology security regularly or at least once a year. |
| 2.2.7 | Establish efficient information technology management, business continuity plans, and information technology emergency plans to ensure preparedness and responsiveness to any threats or incidents which may impact the business operations and information technology operations. |
| 2.2.8 | Ensure effective communication and implementation across the organization and regularly promote information technology security awareness amongst employees. |
2.3 Penalty
Any person who violates this policy may be subject to disciplinary penalty in accordance with the Company's regulations and may be subject to other penalty imposed by the law.
