Information Technology Security Policy

1.1. To define the direction, principles, and framework of regulations for information security management.
1.2. To build knowledge and enhance understanding among employees to correctly and appropriately comply with policies, standards, operational frameworks, procedures, guidelines, and laws related to computer systems.
1.3. To enable employees and those who need to use or connect to the Company's computer systems to use them correctly and appropriately.
1.4. To prevent the Company's computer systems and information from being intruded upon, stolen, destroyed, interfered with, or subjected to various forms of cybercrime that could cause damage to the Company's business operations.

The Company's Information Technology Security Policy addresses key issues Including:

6.1. Information Asset Security:

6.1.1. Information assets, including databases, data files, software, development tools, computer equipment, networking equipment, communication equipment, external storage media, and all types of peripheral devices, must be inventoried by the data owner and relevant stakeholders. The information technology units must collaborate ti maintain a register of information assets, and also create and manage labels for marking documents  information asset equipment.

6.1.2. The Company must define the confidentiality levels and establish the classification guidelines of documents to protect information assets, ensuring security through appropriate methods. Documents or publications printed or duplicated from originals with classified information, whether in whole or in part, shall be considered to have the same classification level as the original information.

6.1.3. Proper use of assets requires written rules or guidelines to prevent damage to information assets.

6.2. Personnel Security:

6.2.1. Information security duties and responsibilities must be defined in writing for users or outsourced personnel, including measures to prevent and maintain information security for the Company.

6.2.2. All job applicants must be thoroughly screened, for example, by checking reference letters, work history, educational qualifications, or verifiable companies, and new employees must be made aware of basic security and sign an acknowledgment of secure use of the Company's information technology systems (attached document).

6.2.3. All users must be trained on awareness and practices to enhance information technology security. Signatures must be collected and filed in personnel records. If there are any changes in security, employees must be notified.

6.2.4. Disciplinary actions must be defined for those who violate the Company's policies, rules, and guidelines. If a legal offense is committed, the penalty will be based on the offense committed and in accordance with Company regulations.

6.2.5. If any appointment, transfer, dismissal, or change of position occurs, the Human Resources department must notify the contracted party, and the contracted party must comply with the terms of the employment contract until its termination. Employees whose employment is terminated for any reason must return information system-related assets, such as keys, employee ID cards, computer center access cards, peripheral devices, manuals, and various documents, to their supervisor before the last day of employment. The Information Technology department must revoke such access rights.

6.3. Data Storage and Operations Area Security:

6.3.1. Physical security must be established for offices, workspaces, and other assets, and measures must be in place to protect against various threats such as fire, floods, earthquakes, and civil unrest. Operations in secure areas must also have adequate protection.

6.3.2. Product delivery by external parties must have a separate designated area to prevent unauthorized access to the Company's information assets.

6.3.3. Employees must protect office equipment to minimize risks from environmental threats and various hazards, as well as the risk of unauthorized access to equipment.

6.3.4. Information assets must be in appropriate and secure areas. Information system usage areas must be properly segregated. Computer centers must be separated from general workspaces and enclosed in separate rooms. Access to secure areas must be controlled, allowing only responsible personnel and authorized individuals with written permission to enter and exit, by presenting their ID cards or government-issued cards.

6.3.5. A backup power system must be in place to ensure continuous operation, and the backup power system must be tested at least twice a year to mitigate potential damage.

6.3.6. All cable routing must be protected from unauthorized access, and cables must be labeled to indicate their origin and destination.

6.3.7. Computer systems, network systems, and servers must be regularly maintained or according to manufacturer-recommended cycles.

6.3.8. Measures must be in place to protect equipment used outside the office to prevent damage to such equipment.

6.3.9. Employees must verify that sensitive data on storage media is deleted or overwritten before disposing of such equipment, in accordance with the Information Technology department's guidelines.

6.3.10. Procedures must be in place for managing removable storage media.

6.3.11. Measures must be defined to protect documents and systems from unauthorized access.

6.3.12. Procedures must be defined for managing and storing information to prevent unauthorized access.

6.3.13. There must be measures to disposs of media used to record infprmation in writer form such as burning, cutting, shredding, or destroying storage media containing sensitive information to prevent unauthorized data access. Designated personnel must oversee the disposal or destruction of storage media (whether self-disposal or by engaging a disposal company). The destruction of documents and storage media must be approved by the data owner and appropriately recorded.

6.4. Information System Management Security:

6.4.1. Operational manuals, such as system recovery procedures, maintenance procedures, etc., must be prepared and updated whenever procedures or responsibilities change. They must be reviewed at least once a year. Control over changes, improvements, or modifications to computer systems, network systems, servers, hardware, and software must be defined.

6.4.2. Responsibilities of system administrators must be segregated to reduce the likelihood of unauthorized changes or modifications.

6.4.3. Development and testing systems must be separated from production systems to prevent unauthorized access to data or changes to live systems. Usage monitoring and capacity analysis of information resources must be performed regularly, at least once a year.

6.4.4. New system acceptance must involve defined acceptance criteria and written testing of the new system before its acceptance.

6.5. External Party Service Security:

6.5.1. Agreements must be in place to control services provided by external parties, such as accepting the Company's Information Technology Security Policy, scope, and service level details, which must be reviewed by the Company's legal department, including non-disclosure agreements for Company information.

6.5.2. External parties or other third parties authorized to access the Company's information systems must accept and comply with the Company's Information Technology Security Policy.

6.5.3. The Company will assess the risks of external parties or other third parties accessing or impacting the Company's information systems. If information disclosure is necessary, the external party or third party must sign a non-disclosure agreement for the Company's confidential information.

6.5.4. Services or contracts with external parties and third parties providing services to the Company must be regularly reviewed as necessary, and service terms for external parties must be updated, for example, when new information systems are implemented, new information systems are developed, or new technologies are adopted.

6.6. Computer Network Security:

6.6.1. Measures must be defined to protect against various network threats and to grant network access only to authorized users.

6.6.2. External connections to internal network systems must be restricted, such as remote network access via the Internet, and no unauthorized hardware or software related to network services should be installed.

6.7. Information Exchange Security:

6.7.1. Policies, practices, and measures must be defined in writing to prevent issues with information exchange within the Company, within the group of companies, and with external parties through all communication channels, such as electronic messaging.

6.7.2. Information to be released to the public must be reviewed for accuracy and integrity, and risks must be assessed and mitigated before publication.

6.8. Online Transaction Security:

6.8.1. Measures must be defined to protect information transmitted over public networks, including information received and sent related to online transactions, to prevent information incompleteness or misrouting on the network.

6.8.2. Information published to the public must be protected for accuracy and integrity before being published.

6.9. Information System Access Audit Security:

6.9.1. Event logging related to information usage and user activity must be regular, and measures must be in place to protect recorded information usage data from unauthorized changes or modifications. Operational activities of relevant personnel related to the system must also be logged.

6.9.2. Error events must be logged, analyzed, and rectified as appropriate. Computer clocks must be synchronized to a reliable time source to aid in auditing timeframes if the Company's systems are compromised.

6.9.3. Employee access and usage of all information systems shall be audited and reviewed periodically by the Internal Audit unit. The Internal Audit unit reserves the right to monitor any actions suspected of violating this policy.

6.10. Information System Access Control Security:

6.10.1. Procedures for various registrations to gain and control access rights to the Company's information and information systems must be defined as necessary, including procedures for revoking access rights (e.g., resignation or position change). Password management processes for users must also be in place to control the appropriate allocation of passwords to users or those involved in assigned tasks.

6.10.2. Users are responsible for maintaining the security of their user accounts and passwords.

6.10.3. Employees must have procedures to prevent unauthorized access to unattended office equipment, such as notifying their supervisor or security personnel whenever they observe such instances, and a policy to control against leaving sensitive information assets, such as documents or storage media, in insecure or easily accessible locations.

6.10.4. A network usage policy must be established, outlining which services users are permitted to use and which are not.

6.10.5. Access to the Company's information systems and information can only be made with the approval of the department head and the head of the Information Technology department, and only for tasks related to that individual's duties. Access must be restricted only to authorized individuals or those who have a need to know the information and have obtained consent from the data owner.

6.10.6. Access to all information systems must be authenticated and verified at least by a User ID and Password obtained from the system administrator before access is granted according to authorized rights. For important systems or remote access, two-factor authentication must be required. Access rights must be reviewed at least once a year.

6.10.7. Any changes to information systems, network systems, or applications must be reviewed and authorized by the data owner, and approved by the head of the Information Technology department.

6.10.8. There must be measured to prevent access to communication ports used for system inspection and configuration. These measures must cover both physical protection and protection against access through  the network.

6.10.9. A system or method must be implanted to verify the quality of passwords, along with a procedure to enforce that users change their passwords periodically within a defined timeframe.

6.10.10. The use of utility programs must be restricted and controlled to prevent circumvention of established security measures, such as limiting their use only to authorized individuals. Methods for automatically logging off computers after a period of inactivity must be defined, and connection durations for high-importance information systems must be limited.

6.10.11. High-importance systems must be segregated into dedicated areas for those systems only. Policies and procedures for users who need to work for the Company from outside the office must be defined.

6.10.12. Access to any application must be controlled and limited only to authorized individuals or those assigned rights, such as system administrators. The use of licensed software must be permitted only for the purchased quantity.

6.10.13. Network access controls must define access rights for users and require that connection from computer systems to the internet be routed through Company's designated security system. Networks should be designed with segmented zones to ensure systematic and effective threat control and prevention.

6.10.14. Control over access to operating systems or administrative actions or troubleshooting on important systems must be performed through defined procedures to access such systems, such as obtaining approval from the supervisor and identifying oneself to the computer center administrator, or accessing via a controlled central machine such as a Terminal Service or "Jump Server" to connect to the assigned destination machine, and maintaining records of operations.

6.10.15. Network systems must be segregated by service group, such as internal zones, critical system zones, and external zones, to enable systematic intrusion prevention.

6.11. Portable Computer Security:

6.11.1. The Company's policy requires users to use only Company-owned portable devices to access or store Company data and information. If personal portable devices are necessary to access or store Company data and information, approval must be obtained from the department head ,  or the company secretary if the user is a director.

6.11.2. Personal portable devices used by users to access or store Company data and information must not be modified to compromise security, such as "Jailbreaking" or "Rooting," and must not have pirated software installed. Passwords must be set, and data or portable devices must be encrypted according to the Information Technology department's policy. Users must obtain approval from their supervisor or the company secretary (if the user is a director) and the Information Technology department before use.

6.11.3. The Company reserves the right to inspect, suspend, revoke usage, and delete all data on portable devices, whether Company-owned or personal, used to access or store Company data and information, if such usage is deemed to pose a risk to the Company's infrastructure or data and information.

6.12. Information System Acquisition, Development, and Maintenance Security:

6.12.1. Developers and system owners must define security requirements for systems acquired or developed for use by assessing risks and identifying security requirements to mitigate those risks. At a minimum, these must align with the secure web application development guidelines from the Open Web Application Security Project (OWASP).

6.12.2. To prevent information errors, data liss or misuse of information, input data must be verified System developers must define mechanisms to ensure input data is accurate and appropriate before further processing, both during processing and for output data validation. System developers and owners must define mechanisms to review that information processing is accurate and appropriate.

6.12.3. Before deploying any program or system into the production,  environment, comprehensive security testing must be conducted to ensure no program-level vulnerabilities exist, as defined in the annual Top 10 OWASP vulnerabilities.

6.12.4. Network equipment, servers, and applications must be continuously monitored, updated, and maintained to ensure continuous and efficient service availability.

6.13. Data Encryption Security:

6.13.1. A policy controlling the use of data encryption must be established and enforced within the Company. Management of keys used for data encryption or decryption must also be defined. These keys will be used in conjunction with the Company's standard encryption techniques.

6.14. Information System File Security:

6.14.1. Measures must be defined to control the installation of new software, software libraries, and vulnerability patches on devices in use. Before installation, they must be checked to ensure they do not cause problems with the operational devices.

6.14.2. System developers must avoid using real data for system testing. If necessary, permission must be obtained from the data owner. System developers must control access to the source code of live systems and should store source code in a secure location.

6.14.3. Procedures for controlling changes to software for production information systems must be defined, and changes or modifications to operating systems must be monitored to ensure that running applications do not malfunction or cause problems. No modifications should be made to vendor-supplied software unless absolutely necessary.

6.14.4. Measures must be taken to prevent information leakage or reduce the possibility of information leakage. Measures to control and audit outsourcing of system development must be clear, including system quality assurance and defining the scope of outsourcing.

6.14.5. To mitigate risks from attacks exploiting publicly Known technical vulnerabilities, relevant Vulnerability information must be regularly monitored. Critical vulnerabilities must be promptly addressed and remediated. This applies to both user machines and important servers, with appropriate operational guidelines.

6.14.6. All servers and applications must undergo continuous vulnerability assessments, and ang identified vulnerabilities must be remediated in accordance with defined procedures. Penetration testing, especially for critical systems and systems providing external network services, must be conducted before going live and regularly thereafter, at least once a year.

6.15. Information System Security Incident Management Security:

6.15.1. Users must report any Company security incidents, such as vulnerabilities, to their supervisor or the Information Technology department immediately upon discovery or suspicion of abnormalities. Duties and responsibilities for handling unit security incidents must be defined, including logging incidents, considering incident types, volume, and incurred damage costs.

6.15.2. Evidence must be collected in accordance with laws or regulations for use in legal proceedings or related matters.

6.16. Business Continuity Security:

6.16.1. The business continuity process must be prioritized, identifying events that disrupt business processes, their likelihood, and potential impact. Business continuity plans will be developed for important systems.

6.16.2. All business continuity plans will be regularly tested, at least once a year, to ensure they can be effectively implemented in an emergency.

6.16.3. A framework for business continuity planning must be defined to ensure all plans are consistent and cover information technology security requirements.

6.16.4. A data backup system for information systems must be established to ensure continuous and stable service of the Company's information systems. Appropriate information systems and backup systems must be maintained in a ready state. Responsibilities for data backup must be defined for system administrators, and an emergency preparedness plan for non-operational scenarios must be prepared at least once a year to ensure continuous normal operation of information systems. Such business continuity plans must be reviewed and updated if necessary.

6.17. Malware Security:

6.17.1. The Company and the Information Technology department must use software with appropriate processes for managing and preventing malicious programs (malware) that are suitable for the current environment. All employees must cooperate and comply with this policy and must not install software without permission from the system administrator or assigned personnel.

6.18. Compliance Security

6.18.1. Every user has a duty to understand and strictly comply with the policies, rules, regulations, laws, or contracts related to information technology usage. This includes, but is not limited to:

• Information Technology Security Policy
• Computer Crime Act B.E. 2550 (2007)
• Electronic Transactions Act B.E. 2544 (2001)
• Copyright Act B.E. 2537 (1994)
• Trademark Act B.E. 2534 (1991)
• Personal Data Protection Act B.E. 2562 (2019)

6.18.2. Information created, stored, or transmitted through the Company's information systems is considered Company property, with the exception of data that is the property of customers or external parties, software, or other materials protected by third-party patents or copyrights.

6.18.3. Data protection measures must be established for data related to legal and practical requirements, contractual obligations, and business requirements. This also includes measures to protect personal data as specified in relevant laws, practices, and contracts.

6.18.4. Information, information systems, computer systems, network systems, and servers must be protected from misuse or unauthorized use. Data encryption measures must be implemented in accordance with or consistent with legal agreements.

6.18.5. The Company reserves the right to review and audit the use of all systems if deemed necessary, without prior notice.

6.18.6. Systems must be checked for sufficient security using vulnerability scanning software and penetration testing to detect system flaws.

6.18.7. Requirements and activities related to information system auditing must be defined to minimize impact on business processes. Software used for system auditing must be protected from misuse by ensuring that tools used for information system auditing are installed separately.

6.19. Responsibilities of Assigned Computer Users

Employees assigned to use computers must comply with the following:

6.19.1. Log out of all systems when not in use for an extended period and power off the computer and other peripheral devices immediately after work.

6.19.2. Lock the screen with a password if not in use or performing other activities for a short period, to prevent unauthorized access by others.

6.19.3. Always scan all data transferred to their computer using up-to-date antivirus software.

6.19.4. Exercise caution when posting messages or expressing opinions on various social media platforms that may infringe upon others or lead to misunderstandings about the Company.

6.19.5. Be vigilant against receiving fake information or "phishing" scams, which deceive users into clicking or entering information from emails, websites, Line, or other sources, with the intent of obtaining sensitive information from users.

6.19.6. Keep passwords and any other codes designated by the Company for accessing computer systems, information, or Company data confidential and for personal use only. Do not disclose them to others or share their use.

6.19.7. Employees with duties involving external parties must communicate and ensure that such external parties comply with the Company's Information Technology System Usage Policy.

6.20. Actions Considered Disciplinary Offenses

6.20.1. Unauthorized alteration of another person's communication data.

6.20.2. Unauthorized disclosure of the Company's confidential or proprietary business knowledge or information to others.

6.20.3. Unauthorized counterfeiting of passwords or other user IDs to access computer systems with malicious intent to commit fraud involving the Company's or customers' assets or money, or to damage reputation.

6.20.4. Allowing another person to use your password, user ID, or One Time Password (OTP) to access the Company's computer systems, or to read, copy, approve, modify, alter, or delete data for personal gain or the benefit of others.

6.20.5. Negligence or carelessness in using one's password, user ID, or One Time Password (OTP), or intentionally allowing others to use one's password, user ID, and computer system access rights.

6.20.6. Intentionally or illicitly disclosing, selling, or distributing Company data to others for personal gain or the benefit of others without authorization, or causing damage to the Company.

6.20.7. Negligence or carelessness resulting in others being able to illicitly disclose, sell, or distribute Company data.

6.20.8. Attempting to access systems without proper authorization or permission.

6.20.9. Intentionally or purposefully disrupting or destroying information, computer systems, or equipment to cause damage to the Company.

6.20.10. Illicitly monitoring, eavesdropping, searching for paths, or decrypting electronic data using any tools or technologies to obtain information or secrets of others or the Company, with intentional harm to others or the Company.

6.20.11. Installing or using Hacking Tools software or any other software related to auditing and accessing sensitive Company data, except for individuals or units specifically responsible for information technology system security.

6.20.12. Connecting computer equipment or any other electronic devices to the Company's computer systems or network without authorization from the responsible unit.

6.20.13. Independently configuring and installing or changing IP Addresses without authorization from the responsible unit.

6.20.14. Unauthorized modification, alteration, or relocation of computer system components or connecting or installing any computer parts that are not Company property to Company assets without permission.

6.20.15. Retrieving or possessing inappropriate or illegal content, such as obscene text, images, etc., or anything that insults, undermines national institutions, religion, and the monarchy, or that incites disunity among the public or employees, or causes damage to the Company.

6.20.16. Sending inappropriate messages or data using the Company's email system or communication tools, such as defamation, harassment, extortion, slander, profanity, or chain letters.

6.20.17. Using the Internet or Intranet system or email for matters unrelated to the Company's business, or using Company-owned computers and equipment for entertainment or personal benefit.

6.20.18. Using software without proper legal licenses or not authorized by the Company, or that may cause damage to the Company.

6.20.19. Providing assistance or cooperating with external parties to gain access to the Company's computer systems or information systems, or to copy or destroy the Company's information or computer systems.

7.1. Policy Dissemination Plan

7.1.1. This policy document will be made available for all users to read and understand, and it will be published on the Company's website.

7.2. Training Plan

7.2.1. Analyze which employees are affected by the Information Technology Security Policy.

7.2.2. Employees affected by Such incidents must receive training on the Information Technology Security Policy.

7.2.3. Develop a training plan for the Information Technology Security Policy as needed.

The Information Technology Department has developed the Information Technology Security Policy by referencing the ISO/IEC 27001:2013 Information Security Management Systems standard to ensure information security.

9.1. Verbal Warning

9.2. Written Warning

9.3. Temporary Suspension without Pay

9.4. Termination of Employment

9.5. Dismissal

9.6. Criminal or Civil Legal Action

In cases of disciplinary action against employees, the Company is not obligated to follow the above sequence. The Company may choose to impose penalties by considering the severity of the offense committed.

The Senior Information Technology Executive or assigned personnel must regularly review this policy at least once a year and submit it to the Executive Chairman for approval if any changes are made.

This policy shall be effective from July 1, B.E. 2568 (2025).
Announced on June 30, B.E. 2568 (2025)