Information Technology
and Cyber Security Policy

Principles

    The Eastern Economic Corridor Office of Thailand (EECO) has established regulations governing the use, maintenance, and protection of information systems in a manner appropriate to its operations, with emphasis on ensuring information security. The core principles are maintaining confidentiality, integrity, and availability, as follows:

      Confidentiality refers to the prevention of unauthorized access to assets, including their disclosure or distribution. Both physical and technical controls must be implemented to ensure that unauthorized persons cannot access such assets. Each asset shall be classified and assigned a protection level appropriate to its sensitivity, ensuring proper handling by authorized personnel.

    Integrity refers to safeguarding assets from unauthorized modification or alteration, whether intentional or accidental. This requires the implementation of controls governing edit permissions and access rights, supported by accounting records and technical audit mechanisms.

    Availability means ensuring that authorized users can access assets as needed, both physically and electronically. For example, the electronic mail system must remain continuously operational to allow users to send and receive messages at all times.

Operational Policy

1. EECO shall conduct a risk assessment at least once a year and whenever significant changes occur, taking into account internal and external contexts, stakeholders, the organization’s vision and mission, developments in cybersecurity systems, risks, and relevant international standards.

2. EECO shall establish acceptable and unacceptable risk criteria to guide the management of risks identified during assessments.

3. EECO shall review this policy at least once a year or upon significant organizational changes.

4. EECO shall develop a cybersecurity incident response plan to address and respond to cybersecurity threats and incidents.

5. EECO shall evaluate the effectiveness of this policy and use the findings to improve related policies and strategic plans to align with current and emerging threats.

6. EECO shall allocate sufficient resources, including budget, personnel, and technology, to ensure effective cybersecurity management.

Cybersecurity Governance Structure

    EECO has established control measures to supervise and monitor cybersecurity practices across all divisions, and to regulate information equipment and remote operations in accordance with this Information and Cyber Security Policy. The structure comprises two key components:

1. Internal Organization
    EECO defines the roles and responsibilities governing the appropriate and secure use of information technology systems within the organization.

2. Computing Device and Teleworking Policy
    Measures are established to maintain cybersecurity for computing devices and remote operations conducted outside the office.

Human Resource Security Policy

    EECO maintains processes for the recruitment, training, and supervision of personnel throughout the employment lifecycle to ensure that all employees understand their roles and responsibilities in safeguarding the organization’s data and information systems. This applies prior to employment, during employment, upon changes in position, and at the termination of employment.

Asset Management

    EECO identifies important assets and assigns responsibilities for protecting them against threats, vulnerabilities, intrusions, theft, or damage. This includes:

1. Asset Management Policy
    Identifying important assets and assigning appropriate protective responsibilities.

2. Information Classification Policy
    Ensuring that information is protected according to its level of importance and sensitivity.

3. Media Handling Policy
    Preventing unauthorized disclosure, alteration, deletion, or destruction of information assets.

Information Access Control

    EECO enforces access control policies to ensure that only authorized users can access information systems, thereby preventing unauthorized disclosure, theft, or misuse and ensuring secure operations. This includes:

1. Information System Access and Usage Policy
    Establishing rules and controls for access to and use of the EECO’s information systems.

2. Operating System Access Control Policy
    Preventing unauthorized access to the operating system.

3. Application and Information Access Control Policy
    Regulating access to applications and information to prevent unauthorized use.

Data Encryption Policy

    EECO implements encryption standards and procedures to ensure the confidentiality of information, authenticate system users, and prevent unauthorized modification of data in an effective and appropriate manner.

Physical and Environmental Security Policy

    EECO has established physical and environmental security standards governing access to buildings, facilities, and information-system areas based on the importance and confidentiality of information assets. These measures apply to both internal users and external service providers.

ขนาดตัวอักษร
ขนาดตัวอักษร