The weakest link is the human factor GRC can help.. New cyber law - - PowerPoint PPT Presentation

How to deter criminals from attacking your

• rganization?

How to collect evidence to prosecute the cyber criminals? How to comply with the laws & regulations? How does your

• rganization

help prevent cybersecurity breaches?

The weakest link is the human factor – GRC can help………..

New cyber law will not steal personal data: Ministry

March 02, 2019 01:00 By The Nation Weekend

The Ministry of Digital Economy and Society brushed aside criticism that the newly-passed national cybersecurity law will infringe upon people’s privacy, saying instead that the new law will secure the country’s critical infrastructure.

Vunnaporn Devahastin, the ministry’s deputy permanent secretary, said the new law had been misunderstood, judging by allegations of infringement on social media. Instead, she said, the new legislation aimed to protect critical national infrastructure for public utilities, banking and financial services, and transportation etc from cyberattack.

Once the Cybersecurity Act is published in the Government Gazette, any potential entities that could be deemed critical information infrastructure

• rganizations should monitor the development of the Act closely and

prepare for compliance. All other entities should prepare their IT systems and update relevant legal documents, including IT policies and breach notifications, and conduct personnel training to raise awareness on cybersecurity.

Go through legal compliance and business strategy relating to privacy and security risk management and cybersecurity and technology transactions. Do a comprehensive cyber risk management and incident response service which includes developing internal policies and procedures, drafting cyber incident response plans and stress testing those plans by conducting simulated cyber incidents.

Cybersecurity Act

Along with the Thailand Personal Data Protection Act, the Cybersecurity Act was approved and endorsed by the National Legislative Assembly on 28 February 2019.

Effective Date Once the Cybersecurity Act is published in the Government Gazette, the Act will become effective. We expect that the Act will be published in the Government Gazette in a couple of months (tentatively in April or May 2019).

Definitions of Cybersecurity & Cyber Threats

Under the current version of the Cybersecurity Act, "Cybersecurity" means any measure or procedure established to prevent, handle, and/or mitigate the risk of Cyber Threats from both inside and outside the country, which affect national security, economic security, martial security, and public order. "Cyber Threats" mean any action or unlawful undertaking done using a computer, computer system, or undesirable program with an intention to cause harm to the computer system, computer data, or other relevant data, and includes imminent threats which would cause damage or affect

• peration of the computer, computer system, or other relevant data.

Levels of Cyber Threats

The Act has classed Cyber Threats into three levels, as follows: (1) non-critical level Cyber Threats; (2) critical level Cyber Threats; and (3) crisis level Cyber Threats. The power and authority of relevant officials against private

• rganizations will be different depending on the level of a

particular Cyber Threat.

Obligations of Private Organizations

Private organizations could be subject to the Cybersecurity Act, as follows: (1) Critical information infrastructure organizations Private organizations using computers and computer systems in the course of their operations to maintain national security, public security, national economic security, or fundamental infrastructure for public interest could be deemed critical information infrastructure organizations under the Act. Critical information infrastructure organizations have various obligations under the Act, including (i) providing names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system; (ii) complying with the code of practice and minimum cybersecurity standards; (iii) conducting risk assessment; and (iv) notifying of Cyber Threats. In the event of a Cyber Threat, a critical information infrastructure organization is required to investigate related information, computer data, and the computer system of such affected organization, and protect, handle, and mitigate the risks from the Cyber Threats in accordance with the Code of Practice and cybersecurity

• standards. Critical information infrastructure organizations are also subject to the

same obligations as private organizations.

(2) Private organizations

• Private organizations which are not critical information infrastructure
• rganizations are also subject to the Act.
• In the event of a Cyber Threat, the relevant authorities may request

cooperation from or order private organizations to perform various actions, such as (i) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent Cyber Threats, (ii) monitoring the computer or computer system; (iii) allowing officials to test the operation

• f the computer or computer system, or seize or freeze a computer, a

computer system, or any equipment.

• Generally, such orders must be limited to the necessity to preventing or

handling Cyber Threats. The extent of the orders will depend on the level

• f a particular Cyber Threat. Certain orders would require a court order,

while others will not.

• The penalties vary from fines to imprisonment.

https://www.youtube.com/watch ?v=F3TGcQWCH1g