Information Security Policy

Introduction

Bangkok Life Assurance Public Limited Company (“the Company”) establishes the information security policy to ensure information technology security and cyber security for its business operations whilst maintaining confidentiality, accuracy and availability of the systems and use information technology.

Purpose

To ensure assessment and management of risk tolerance for the Company’s information technology system, maintaining appropriate internal control, security, accuracy and reliability as well as to ensure appropriate safeguarding of the company’s data and information assets in line with applicable information technology requirements, rules, regulations, laws, international standards and orders given by business regulatory agencies.

Scope

All personnel of Bangkok Life Assurance Public Limited Company and its subsidiaries must acknowledge, understand and strictly adhere to this information technology policy.

Definition

“Information Technology”

means data processing systems or processes using computer technology to systematically manage data in order to obtain information for effective business support.

“Information Technology Security”

means the protection of information technology and information assets from unauthorized access, use, disclosure, obstruction, alteration, modification, loss, damage, destruction, or knowledge by maintaining confidentiality, integrity and availability of the information technology and information assets as well as their other qualities, including authenticity, accountability, non-repudiation, reliability and responsiveness to threats and prompt information technology recovery without any business disruptions (resilience).

“Cyber Security”

means any measures or actions established to prevent, cope with, and mitigate risks arising from both internal and external cyber threats that may affect the stability of the information technology systems.

“Cyber Threat”

means any unauthorized acts or operations involving the use of a computer, computer system or unwanted program with the intention to harm and compromise the operation of the computer system, computer data, or other related data.

“Malicious Software”

means any programs designed to generate undesirable results for a user or system by attacking the system, damaging the system as well as stealing data.

“Antivirus Software”

means any programs designed to detect, prevent, and eliminate various forms of malicious software or computer threats, including viruses, worms, trojans, spyware, adware, and other types of threatening software.

Information Technology Security Requirements

This policy has the following requirements:

1. Establish appropriate information technology security practice framework which also applies to external IT service providers.
2. Establish information technology security measures to maintain confidentiality, integrity, availability and business continuity.
3. Establish management and classification of information assets as well as confidentiality level and measures for system and information access control to prevent data breach or misuse of position.
4. Establish measures for maintaining physical and environmental security, measures for user and system administrator control, measures for preventing and maintaining security in information technology
5. Establish measures for information technology communication security, measures for encryption to control receiving or exchanging information, and appropriate practice guidelines for seeking, developing and maintaining information system.
6. Establish measures to prevent malware, information system threats and cyber threats as well as anti-virus programs, technical vulnerability management or testing of information system security regularly or at least once a year.
7. Establish efficient information technology project management, business continuity plan and information technology emergency plan to prepare for and to promptly handle any threats or incidents which may impact the business operations and information technology operations.
8. Ensure effective communication and implementation across the organization and regularly promote security awareness amongst employees.

Revision

The Company shall review this policy at least once a year or when there are material changes.





​

Reviewed in accordance with the resolution of the 7/2023 Board of Directors’ Meeting held on December 13, 2023