How to deter How to comply criminals from with the laws & attacking your regulations? organization? How does your How to collect organization evidence to help prevent prosecute the cybersecurity cyber criminals? breaches? The weakest link is the human factor – GRC can help………..
New cyber law will not steal personal data: Ministry March 02, 2019 01:00 By The Nation Weekend The Ministry of Digital Economy and Society brushed aside criticism that the newly-passed national cybersecurity law will infringe upon people’s privacy, saying instead that the new law will secure the country’s critical infrastructure. Vunnaporn Devahastin, the ministry’s deputy permanent secretary, said the new law had been misunderstood, judging by allegations of infringement on social media. Instead, she said, the new legislation aimed to protect critical national infrastructure for public utilities, banking and financial services, and transportation etc from cyberattack.
Once the Cybersecurity Act is published in the Government Gazette, any potential entities that could be deemed critical information infrastructure organizations should monitor the development of the Act closely and prepare for compliance . All other entities should prepare their IT systems and update relevant legal documents, including IT policies and breach notifications, and conduct personnel training to raise awareness on cybersecurity.
Go through legal compliance and business strategy relating to privacy and security risk management and cybersecurity and technology transactions. Do a comprehensive cyber risk management and incident response service which includes developing internal policies and procedures, drafting cyber incident response plans and stress testing those plans by conducting simulated cyber incidents.
Cybersecurity Act Along with the Thailand Personal Data Protection Act, the Cybersecurity Act was approved and endorsed by the National Legislative Assembly on 28 February 2019. Effective Date Once the Cybersecurity Act is published in the Government Gazette, the Act will become effective. We expect that the Act will be published in the Government Gazette in a couple of months (tentatively in April or May 2019).
Definitions of Cybersecurity & Cyber Threats Under the current version of the Cybersecurity Act, "Cybersecurity" means any measure or procedure established to prevent, handle, and/or mitigate the risk of Cyber Threats from both inside and outside the country, which affect national security, economic security, martial security, and public order. "Cyber Threats" mean any action or unlawful undertaking done using a computer, computer system, or undesirable program with an intention to cause harm to the computer system, computer data, or other relevant data, and includes imminent threats which would cause damage or affect operation of the computer, computer system, or other relevant data.
Levels of Cyber Threats The Act has classed Cyber Threats into three levels, as follows: (1) non-critical level Cyber Threats; (2) critical level Cyber Threats; and (3) crisis level Cyber Threats. The power and authority of relevant officials against private organizations will be different depending on the level of a particular Cyber Threat.
Obligations of Private Organizations Private organizations could be subject to the Cybersecurity Act, as follows: (1) Critical information infrastructure organizations Private organizations using computers and computer systems in the course of their operations to maintain national security, public security, national economic security, or fundamental infrastructure for public interest could be deemed critical information infrastructure organizations under the Act. Critical information infrastructure organizations have various obligations under the Act, including (i) providing names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system; (ii) complying with the code of practice and minimum cybersecurity standards; (iii) conducting risk assessment; and (iv) notifying of Cyber Threats. In the event of a Cyber Threat, a critical information infrastructure organization is required to investigate related information, computer data, and the computer system of such affected organization, and protect, handle, and mitigate the risks from the Cyber Threats in accordance with the Code of Practice and cybersecurity standards. Critical information infrastructure organizations are also subject to the same obligations as private organizations.
(2) Private organizations • Private organizations which are not critical information infrastructure organizations are also subject to the Act. • In the event of a Cyber Threat, the relevant authorities may request cooperation from or order private organizations to perform various actions, such as (i) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent Cyber Threats, (ii) monitoring the computer or computer system; (iii) allowing officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment. • Generally, such orders must be limited to the necessity to preventing or handling Cyber Threats. The extent of the orders will depend on the level of a particular Cyber Threat. Certain orders would require a court order, while others will not. • The penalties vary from fines to imprisonment.
https://www.youtube.com/watch ?v=F3TGcQWCH1g
Recommend
More recommend
