Page 137 - Anual report STi 2022_eng
P. 137
(7) Establish a framework for operations and oversight of (14.1) Set targets and information security policy in
risk management throughout the organization under the same direction with the corporate strategic
the leadership of the Chief Executive Officer. In case plan.
the management finds that the risk management (14.2) Improve the security policy, standard, procedure,
policy across the organization is inappropriate for the and guideline for the Company’s information
operating conditions, it must be presented to the Board confidentiality, integrity, and availability.
of Directors of the Company through the Risk (14.3) Manage the surveillance of system attacks
Management Committee to review and seek approval and threats that may occur with the system by
for improvements to the risk management policy across using the intrusion detection system, intrusion
the organization. prevention system, or anti-virus system, as well
(8) Set up a risk management system to reduce the impact as preparing the business continuity plan and
that may have on the business of the Company to disaster recovery plan.
cover the entire organization and practice guidelines, (14.4) Perform risk management and risk analysis
including providing regular risk assessments. for risks that may cause problems with the
(9) Prepare and approve appropriate risk management system affecting the business operations of the
plans which assesses risk factors that may affect the organization.
business operations of the Company. Prepare risk (14.5) Propose to top executives (Chief Executive
management plans at all levels by brainstorming Officer) in matters of operational plans, policies,
opinions from executives and employees from various budgets, manpower, as well as information
departments. security outsource plans for approval and for
(10) Ensure the accuracy, timeliness, and consistency awareness of the importance of information
of enterprise-wide risk management information to the security.
Board of Directors and the Audit Committee. (14.6) Advise on information security system to other
(11) Encourage executives and employees to recognize departments that need to use information
the importance of risk management that will make the technology in work.
Company unable to achieve its goals, including (14.7) Contact and maintain relationships with
pushing to create a culture of awareness of risk partners, organizations, or third parties that are
management in the organization. involved in information security, both public and
(12) Perform duties as authorized by the Board of Directors. private, such as police, journalists, system
(13) Follow up on the progress of the implementation of the integration, outsourcer, managed security
Company's risk management plan. Provide advice and services providers, and auditors.
recommendations on risk management. (14.8) Request for proposal for the procurement of
(14) Duties and Responsibilities as a supervisor for network information security system.
infrastructure security and information security or CSO (14.9) Establish and control the team (Incident
(Chief Security Officer) are as follows: Response) to be able to work in the event of
an emergency in the organization, such as the
outbreak of a computer virus.
Stonehenge Inter Public Company Limited 135
