Cybersecurity & Privacy

icon ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
01 Customer

Customer

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
Business Alliance

Business Alliance

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
Regulatory agencies

Regulatory agencies

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
Employee

Employee

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
Shareholders, Investors, and Securities Analysts

Shareholders, Investors, and Securities Analysts

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
community and society

Community and Society

ผู้มีส่วนได้เสียทั้ง 7 กลุ่ม
Mass Media and Online Media

Mass Media and Online Media

Importance

The increasing use of digital technology to support service provision, corporate management, and airport operations has made information technology security, stability of use, and protection of privacy increasingly important. It is because, in the event of data leakage, system disruption, or cyber-attacks, stakeholders may suffer damage and lose confidence in AOT. It may also violate human rights in relation to personal privacy.

Policy and Management Approaches

AOT has stipulated AOT ICT Security Policy, AOT Cyber Security Policy and AOT Data Privacy Policy which comply with the applicable laws and disseminate such policies to AOT employees and third parties who work for AOT. Aiming those people to be aware of the importance of maintaining security, regarding the use of information technology systems and privacy. Moreover, AOT regularly conducts risk assessments and system security tests and receives the ICT Security Management System Certificate; ISO/IEC 27001:2013.

1.

AOT ICT Security Policy

CIA

AOT ICT Security Policy focuses on ensuring AOT's ICT systems on Confidentiality, Integrity, and Availability covering access to information system, network system, operating system, and software applications. This requires risk monitoring and assessment which includes a preparation of the emergency plan to ensure the continuous availability of information as in normal circumstance.

These policies are also disclosed to AOT’s employees at all levels and the third parties who work with AOT for acknowledgment and compliance. In addition, the AOT President or assigned senior executive determines.

the operational guidelines as well as supervises, controls, inspects, and gives advice for operation. The mentioned policies are reviewed on a regular basis, at least once a year or when necessary. The AOT President is responsible for the incurred risks and damages in case the ICT system or information assets of AOT cause any damages to the organization or any person due to non-compliance to the policies.

2.

AOT Cyber Security Policy

Goal of the AOT security plan

In 2021, AOT established its Cybersecurity Policy to maintain cybersecurity in preventing, addressing, and mitigating risks from cyber threats, both domestic and international, that could impact AOT's operations or services. This, in turn, affects national security and economic stability. The policy aligns with the guidelines and plans set forth by the National Cybersecurity Committee.

3.

AOT Data Privacy Policy

AOT stipulates AOT Data Privacy Policy in order to ensure the personal information security of electronic transaction users, covering employee information, third parties working with AOT and service users. Such policy is regularly reviewed at least once a year or when significant change occurs. AOT's President or senior executives is/are assigned to formulate policies to support operational guidelines as well as supervision, control, inspection and advice. Violating the AOT’s privacy policy is considered the disciplinary offense of AOT's regulations.

AOT Data Privacy Policy is consistent with “The Royal Decree Prescribing Rules and Procedures of Electronic Transactions in the Public Sectors B.E.2549 (2006)" "Notification of the Electronic Transactions Commission on Policy and Practice Guidelines for Personal Data Protection of Government Agencies B.E.2553 (2010)" "International Principles on the Protection of Personal Data of the Organization for Economic Co-operation and Development: OECD” and “Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data,” or OECD Guidelines.

4.

AOT Personal Data Protection Policy

AOT has designated the Information and Communication Technology Strategy Department, Digital and Communication Technology Group to manage information technology and its security. The department also organizes activities in response to the AOT's Information and Communication Technology Security Policy, AOT Data Privacy Policy, and security practices in information and communication technology. The Corporate Strategy Department will be the responsible unit to review operational plans every year and report the results to the Information and Communication Technology Management Committee which is chaired by AOT President.

ดูรายละเอียดเพิ่มเติม

Information Security and Privacy Management System

AOT has designated the Information Technology Strategy Department under the Information Technology and Communication Division to manage information technology and data security. This includes organizing activities to comply with AOT's Information Technology and Communication Security Policy, Personal Data Protection Policy, and Information Technology and Communication Security Practices. The Strategy Department reviews the operational plan annually and reports the results to the Information Technology and Communication Executive Committee, chaired by the President. Additionally, information technology and communication security are included as part of the internal employee evaluation process.

Featured Activities

Provide knowledge through public relations media through the AOT STAFF system.

PDPA

AOT prepared information security and privacy media via Line@AOT STAFF system to increase awareness of AOT employees in information technology security and privacy. The topics included are:

  • 10 things we need to know about PDPA
  • What are the rights of the data subject in PDPA
  • Who is who in PDPA
  • Things to know about data privacy
  • Processing of employment-related personal data

Training on Information Technology and Privacy

Preparation activities to support the Personal Data Protection Act B.E. 2562 (2019)

In 2023, AOT has been preparing for The Personal Data Protection Act B.E. 2562 (2019), as follows:

  • AOT organized training to raise awareness of personal data protection according to the Personal Data Protection Act B.E. 2562 (2019) for AOT’s executives and employees at the AOT Head Office and 6 responsible airports. In addition, the training aimed to provide knowledge and understanding of personal data protection laws, compliant actions to the requirements of the law, general necessary measures, and information security measures that AOT must implement.

Training courses to prepare for implementation and development of information security management system (ISMS)

AOT conducted training to prepare and educate employees on AOT’s ISMS system development. The training also raised awareness of information security through the AOT’s ICT Security Management System Consultancy Project on the critical infrastructure and support processes in the work of organizational resources management systems according to ISO/IEC 27001 Standard. The training consisted of 7 courses as follows:

  1. Development of information security management system and requirements according to ISO/IEC 27001 Standard.
  2. Roles of relevant people in the development of information security management system and requirements according to ISO/IEC 27001 Standard.
  3. Information Security Risk Management
  4. Information Security Lead Implementer based on ISO/IEC 27001 Standard.
  5. Information Security Management System Auditor/Lead Auditor based on ISO/IEC 27001 Standard.
  6. Raising awareness on information security for AOT executives and employees in all 7 locations namely AOT Head Office, Don Mueang International Airport, Chiang Mai International Airport, Phuket International Airport, Hat Yai International Airport, Mae Fah Luang – Chiang Rai International Airport and Suvarnabhumi Airport.
  7. Raising awareness on personal data protection in accordance with the Personal Data Protection Act B.E.2562 (2019)

The objective of the trainings is to educate employees on best practices in managing Information Security Management Systems (ISMS) as outlined in ISO/IEC 27001:2013 Standard, including laws, regulations and ICT security policies and practices so that AOT employees can operate properly and appropriately as well as perceiving legal issues related to information security along with prevention measures and guidelines.

Management evaluation

AOT stipulates to have ICT security audited by external independent agency based on ISO/IEC 27001:2013 and continuously monitor the number of complaints received from service users, government agencies and external agencies, including cases of data leakage or loss, to report such information to the Information and Communication Technology Management Committee chaired by AOT’s Board member on a quarterly basis. In addition, AOT sets up measures to reduce risks and maintains users’ confidence in data security and privacy and discloses the statistics of operating results in the Sustainable Development Report annually.

Last Updated: May, 17 2024