As Personal Data Protection Act B.E. 2562 will be officially enforced in June 2022, data or personal information of both private and public organizations would be targeted by hackers. To protect this arising issue under Cybersecurity Act B.E. 2562 (A.D. 2019) (:Act”), it is responsible for the “National Cyber Security Committee” (“NCSC”) to provide measures for preventing and mitigating risks from cyberthreats.
Under Section 3 of the Act, critical information infrastructure (“CII”) refers to the computer or computer system that a government agency or a company uses in its operation which relates to maintaining national security, public security, national economic security, or infrastructures in the public interest.
In this regard, the NCSC has implemented a plan to prevent cyberthreats by requiring approximately 100 organizations to be linked with the CII and will comply with the standard framework of security requirements which consists of 7 areas, namely national security, public services, banking and finance, information technology and telecoms, transport and logistics, energy and public utilities, and public health.
In addition, according to Section 44 of the Act, it requires the NCSA to prepare a code of practice and standard framework for maintaining cybersecurity of each organization in accordance with the policy and the plan on maintaining cybersecurity linked to the CII to comply with provisions of the Act. The requirements include cyber incident response, cyber risk assessment, and auditing etc.
The NCSA announced that security standard requirements, including requirements for software and operating systems, for state agencies and CII-linked corporations, are expected to be enforced by the end of this year.