SECTION1: GENERAL RULES
1 Purpose of “Information Security Policy”
“Information Security Policy” (hereinafter referred to as “Policy”) is issued in compliance with Thailand Laws, Compliance, and All Toyota Security Guideline (ATSG). The purpose of this policy is to prevent any risk from both internal usage and external usage, to encounter any cyberattack, and to recovery the Company information asset for our customers and Company (“Company” means TOYOTA Connected Asia Pacific Ltd).
2 Applicable scopes of “Information Security Policy”
The levels of Information Security shall be classified to match the organization’s requirement, time, resource, technology, budget, and environment. It is compelled to all employees such as permanent staffs, outsource staffs, contract staffs, and temporary staffs (hereinafter referred to as “Staff”).
SECTION2: INFORMATION SECURITY POLICY
3 Information security for information asset of our customers
The Company shall provide the appropriate measures to guarantee the availability, integrity and confidentiality of a Company's data, information asset, and services for our customers.
4 Information security for information asset of the Company
The Company shall ensure the information security of the information assets of customers, and confidential data to be protected and handled with care to prevent the risk of loss, destruction, falsification, threats, IT security incident, and leakage of information assets.
5 Internal organization and responsibility
The Company has been established the “Data Security Committee” which has got a responsibility to
1) Review the security policy statements, Follow Thai Security Laws, and All Toyota Security Guideline (ATSG) to ensure the efficiency and effectiveness of the information security controls infrastructure,
2) Advise Company on consent/data collection & protection and recommending improvements wherever necessary.
3) Act as an IT security auditor, discussion, and decision-making on IT Security incident, create respond plan, and recovery plan, then reports to all related parties.
6 Responsibility of employee
The staff has complied with laws and the Company compliance, rules, regulations related to Information Security Management Policy, Confidential Information Protection Policy, Company Entrance Permission Policy, and IT Device Usage & Management Policy.
The Company will continuously provide education and enlightenment regarding information security management to the staff, and to ensure that the information security policy is thoroughly known.
All subjects who handle information assets shall comply with the information security policy and fulfill the obligations and responsibilities set forth therein.
7 Handling of personal information
Regarding the handling of personal information, the Company shall comply with related regulations based on the "Confidential Information Protection Policy".
8 Handling of confidential information
Regarding the handling of confidential information, the Company shall comply with related regulations based on the "Confidential Information Protection Policy", “Company Entrance Permission Policy”, and “IT Device Usage & Management Policy”.
9 Handling of information system
The handling of information system will be complied with related standard operation process (SOP) to control system access, user management, asset & device management, monitoring control, storage & restoration management, and data sharing management.
10 Monitoring of information security management
The Company shall strive to ensure information security management by periodically monitoring and audit the status of various operations related to information security management and taking appropriate corrective action as necessary.
11 Maintenance and improvement of information security management
The Company handle the preventive maintenance and corrective maintenance to the Company IT infrastructure and responding it follow the change of Technology, business environment, security laws, customer need, and Toyota Group requirements. The company shall review the maintenance tasks and improve information security management frequently and when implement the new system.
12 Legal compliances
The Legal compliance shall be complied with day-to-day business practice. Furthermore, The Company Legal Compliances are based on related information security management of Thai laws, morals, nature and scale of business, the Company vision, Internal factors, and external factors.