The Digital & IT Investment Management Committee (DIM) is responsible for reviewing the objectives of investment projects, technology selection, and returns on investment. The Enterprise Risk Management Committee (ERM) is responsible for overseeing the identification and management of risks to keep them within the organization’s risk appetite. The Information Security Management System Committee (ISMS Committee) is responsible for ensur i ng that GC’ s i nformat i on secur i t y , cybersecurity, and cloud security are consistent with the international standards and keeping risks within the risk appetite. 2. Management Level The Enterprise Architecture Committee (EA Committee) is responsible for the management of the Company’s IT structure to ensure its alignment with usage requirements and currency as well as maximum utilization. The Management Level undertakes its oversight duties through data and information management policies, such as policies on Information Security (IS), Cybersecurity, Cloud Security, Service Level Agreement (SLA), Secure System Development Life Cycle (SSDLC), and Data Protection. 3. Operation Level Establishing systems, procedures, and services for users; publishing and storing them on the internet as reference for users; and sending out IT updates via email every two weeks, except emergencies, for which users wi l l be given an immediate notification. Assessing IT resource risk every year to ensure the resources are sufficient to protect the accuracy, integrity, reliability, and currency of data and information. Monitoring performance both internal ly and externally to validate the work processes; using the results to further improve the Company’s IT management and services and keep IT security up to date; and reporting progress to Executives and responsible Sub-committees regularly. Management Processes: The management processes are divided into three categories. 1. Information Security and Cybersecurity Governance To establish clear operational directions and ensure transparent management from policy to operation levels, GC governs and manages its information security and personal data management system in compliance with the ISO/IEC 27001:2022 and ISO/IEC 27701:2019 standards and the cybersecurity framework developed by the US National Institute of Standards and Technology (NIST). GC’s information security and cybersecurity governance comprises policies, reference standards, procedure handbooks, and software, which cover five areas of operation, namely identification, protection, detection, response, and recovery. In addition, GC has appointed Senior Vice President – Transformation Excellence to serve as Chief Information Security Officer (CISO) of the Company, with the following roles: 1. To serve as Chairperson of the Information Security Management System Committee (ISMSC). 2. To establish information security goals and policies in line with GC’s strategic plans. 3. To develop information security policies, standards, processes, and guidel ines to maintain the confidentiality, integrity, and availability of GC’s information. 4. To coordinate, control, and report cybersecurity incidents to GC’s top executives and the National Cyber Security Agency (NCSA). 2. Information Security and Cybersecurity Control GC has established information security, cybersecurity, and personal data management policies and measures in line with the international ISO/IEC 27001 and ISO/IEC 27701 standards to bolster the security and stability of its information security and cybersecurity management system as well as prevent misuse in violation of the Computer-related Crime Act and the Personal Data Protection Act. In 2023, GC updated its certification for information security management systems from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 and maintained its certification for its personal data protection management system in compliance with the ISO/IEC 27701:2019 standard, with the scope as described below: 200
RkJQdWJsaXNoZXIy ODg4NTI=