General
The Agency’s information security uses the framework of a quality control cycle (PDCA Cycle). This is a process approach to management with consideration given to control consistent with asset risks to check, assess, review and revise the Agency’s information security policy and guidelines along with continually improving related documents to be consistent with the Agency’s strategy on an annual basis or when significant events occur.
Information Security Structure, Roles, Duties and Responsibilities
The Agency is required to clearly divide work duties and responsibilities in order to reduce likelihood of unauthorized or unintentional changes and corrections to information security systems, changes to the Agency’s assets or misuse of property. Roles, Duties and Responsibilities
(1) The Director has the duty to oversee and provide resource support necessary for information security systems along with making announcements and communicating to ensure compliance with the Information Security Policy and guidelines specified by the Agency. In cases where computer or information systems cause any damage or harm to the Agency or any person due to negligence, violations of or non-compliance with the Information Security Policy and guidelines, the Director has the duty to accept direct responsibility for all damage.
(2) The Chief Information Officer (CIO) has the duty to approve use of the Information Security Policy and guidelines. In cases where information technology risks were found to be at levels unacceptable to the Agency and in cases where limits or reasons prevent that risk from being corrected and controlled, the Chief Information Officer (CIO) is to consider accepting risks or present other guidelines for correction with consideration given to potential effects. In cases where workers violate the Information Security Policy and guidelines, intellectual property or copyright laws, the Chief Information Officer is to consider disciplinary action, demand compensation or prosecute workers pursuant to the law. In cases where workers were found to have taken action in the area of information which may create misunderstanding of the Agency’s image or cause damage to the Agency, the Chief Information Officer is to consider ordering suspensions, cancellations or other actions.
(3) The Chief Information Security Officer (CISO) has the duty to monitor and advise on preparations and reviews of the Information Security Policy and guidelines.
(4) The Information Technology Management Committee has the duty to govern, oversee, monitor and advise on preparation and approval of the Information Security Policy and guidelines.
(5) The ISO 27001:2013 Standards Group has the duty to review and do work concerning the Agency’s information security management in an orderly and effective manner.
(6) The ISO 22301:2012 Standards Group has the duty to properly review and take action concerning the Agency’s business continuity management system.
(7) The Quality Assurance Section under the Organization Development Office has the duty to disseminate the Information Security Policy and guidelines via the Agency’s intranet to communicate policies and guidelines to the Agency’s workers and disseminate policies via the ETDA website in order to communicate policies for the convenient access and acknowledgement of outside parties involved.
(8) The Compliance Governance Section under the Organization Development Office has the duty to study, disseminate, govern and monitor work to ensure that work is compliant with laws, requirements, rules, regulations, notifications, directives or associated resolutions.
(9) Internal auditors of the information security management system have the duty to plan and coordinate internal audits, report internal audit results, and monitor and examine corrective or preventive actions for flaws detected in internal audits.
(10) Asset caretakers have the duty to manage assigned assets through maintenance, asset registry modifications, assessment of risks to assets from activities in the Agency and outside the Agency with consideration given to conditions in maintaining security and supporting measures before performing activities along with using measures which outside organizations are required to acknowledge in agreements between the Agency and outside organizations.
(11) Workers are under obligation to comply with the Agency’s Information Security Policy and guidelines along with safeguarding and using caution when using the Agency’s assets. Workers must have awareness and knowledge in the area of information security.
The Agency is required to specify contact names and information for the organizations involved to use in contacts and coordination on information security. In addition, the Agency is required to review contact names and information at least on an annual basis or when changes occur.
The Agency is required to specify contact names and information for groups with special interest in the same topic, groups with information security interests or organizations, and associations and companies in industries in which the Agency is involved. Moreover, the Agency is required to review contact names and information at least on an annual basis or when changes occur.
Risk Management
Risk Management
The Agency has an information technology risk management policy and risk management plans with designated assessment, correction and risk acceptance criteria to reduce the likelihood of losing secrets, accuracy, completeness and readiness of the Agency’s assets.
Creating Information Security in the Area of Personnel
The Agency builds knowledge and awareness on using information systems with security among users and workers by preparing manuals, providing training and disseminating associated documents via the Agency’s internal website, in addition to communicating the Information Security Policy to external service providers on related topics.
Asset Management
The Agency has a policy to manage assets by preparing appropriate measures for controlling the use of assets throughout their useful life from procurement to registration, maintenance, distribution and disposal, depending on the secrecy levels of information in that asset.
Document and Information Management
The Agency has a policy to manage documents related to the Agency’s internal operations such as the Information Security Policy and guidelines, work steps, methods, support documents, manuals setting information system and records. Documents are coded and controlled when documents are registered, reviewed and approved before use, revised, disseminated, canceled and disposed of when no longer in use.
Control of Information System Access and Use
The Agency has a policy to control user access to information systems at the steps of registration, determination of rights, revocation of rights, review of rights to use information systems and other mobile devices including providing protection for personal information which should not be disclosed under the law.
Management of Secret Code Entries
The Agency has a policy to manage keys for entering secret codes by specifying methods for creating keys, key life, storage, reservation, transfer, disposal, access and directions for when incidents where a person who detected key information enters codes.
Maintaining Work Security
The Agency has a policy to maintain work security with coverage of the following topics: work step preparation, protection against malware, software function controls, loop-hole management and information system inspection.
Physical and Environmental Security for the Agency’s Areas and Secure Areas
The Agency has a policy to create physical and environmental security including measures concerning physical and environmental access to the Agency’s areas, item delivery areas and secure areas including areas of data centers used by the Agency to provide services.
Management of Changes
The Agency has a policy to manage changes in the organization, business processes, assets and information processing systems that have effects on information security in order to ensure changes are planned, prioritized, assessed for impacts and approved by authorized persons with appropriate assignments, testing, records and operations to reduce the likelihood of damage or effects from damage caused by that change while maintaining information security.
Information Capacity Management
The Agency has a policy to manage capacity of information to test functions, provide sufficient resources for the Agency’s needs and enable the Agency’s information systems to provide services continually.
Data Backups and Information System Recovery
The Agency has a policy to manage data backups for information systems to prevent data loss or damage from undesirable or unexpected incidents in order to enable the Agency’s information systems to provide services continually.
Records and Monitoring
The Agency has a policy to monitor incidents that occur in the information system such as system caretaker and user activities, abnormalities or errors of information systems and functions, etc. Records of events must be protected from unauthorized changes, disposal and access. The Agency continually checks and analyzes recorded events to prevent undesirable incidents or threats with potential impact on the Agency.
Communication and Network Utilization Management
The Agency has a policy to control communications and data transmissions via the Agency’s networks to prevent unauthorized access to the Agency’s information systems, prevent threats with potential impact on the Agency and control access to use networks for work from outside the Agency's office for the Agency’s security.
System Procurement, Development and Maintenance
The Agency has an Information Security Policy for information system procurement, development and maintenance processes. The Agency conducts feasibility studies and impact analyses and tests information systems to ensure consistency with specifications before transfer into an environment of real use to prevent effects on the Agency’s operations or missions.
Management of Service Provision by Outside Agencies
The Agency has a policy to manage service provision by outside organizations through specification of rules, regulations, criteria and work guidelines for use in monitoring, reviewing and managing changes to services along with regularly assessing services delivered by outside organizations in order to control and ensure correct and secure use of the Agency’s data and information systems.
Information Security Incident Management
The Agency has a policy to manage information security incidents and undesirable or unexpected security situations by designating the duties of the people involved and steps for monitoring and reporting incidents, analyzing and collecting evidence, problem-solving and recording security incidents in order to have fast, effective and organized responses. Information from analysis and problem-solving will be used to reduce the likelihood or effects of future incidents.
Management of the Agency’s Business Continuity
The Agency has a policy to manage continuity of the Agency’s information system security and business operations. ISO 22301:2012 is required to conduct business impact analyses (BIA) to prioritize data and information systems that need continuity of use, specify necessary processes, activities and resources, prepare relevant documents and communicate information to the people involved in order to have awareness of duties along with organizing information security continuity management plans on an annual basis at least.
Compliance with Requirements
The Agency has a policy to comply with laws, rules, regulations and contractual obligations concerning information security, standards and security requirements made by the Agency. The Agency communicates with workers for acknowledgement and understanding in addition to having reviews and inspections of compliance with policies made by the Agency.
Performance Assessment and Internal Evaluations of Standard Systems
The Agency has a policy to assess performance and conduct internal evaluations of standard systems by requiring performance assessments and measurements consistent with laws, rules and regulations specified by the Agency including standards necessary for the Agency’s operations in order to have confidence in the Agency’s performance efficiency and security of the Agency’s data and information systems.
Executive Review
The Chief Information Security Officer reviews the Agency’s information security management systems at specified times at least once per year or when significant changes occur.
Modification and Development
The Agency has policy to correct and modify performance that is inconsistent with information security by specifying review processes, identifying causes, making corrections or changes to information security management systems, reviewing the effectiveness of modifications and storing relevant documents to ensure continued and effective development.
Changes to the Information Security Policy
The Agency may occasionally modify its Information Security Policy to be consistent with changes to services, the Agency’s operations and your recommendations or opinions. The Agency will clearly announce changes and notify you of changes before making changes or the Agency may send notifications to you directly.
For more information on the Information Security Policy and guidelines, please study the full Policy and guidelines. If you have more questions, please contact the Agency at the following address:
Electronic Transactions Development Agency,
The Government Complex Commemorating His
Majesty the King’s 80th Birthday Anniversary, (Building B),
6th Floor, 120 Moo 3 Chaengwattana Road,
Thungsonghong, Lak Si District, Bangkok 10210
Tel. 02-123-1234
Fax. 02-123-1200
Website https://www.etda.or.th