Prep required for cybersecurity rules

Prep required for cybersecurity rules

Enforcement of new regulations imminent

The regulation on guidelines and standard practices for CII-linked organisations' cyber defence is scheduled to be enforced on Sept 6.
The regulation on guidelines and standard practices for CII-linked organisations' cyber defence is scheduled to be enforced on Sept 6.

The National Cyber Security Agency (NCSA) is urging organisations associated with critical information infrastructure (CII) to accelerate efforts to comply with two upcoming regulations regarding minimal requirements for their cyberdefence practices and responsibility for their sectoral computer emergency response teams (CERTs).

The regulation on guidelines and standard practices for CII-linked organisations' cyberdefence is set to be enforced on Sept 6, while the legislation which defines the duty and responsibility of sectoral CERTs is set to come into effect on Aug 23.

"These are two regulations under the Cybersecurity Act that will come into effect over the next two months, and they will raise the bar of Thailand's cybersecurity," Paiboon Amonpinyokeat, a member of the National Cyber Security Committee, told the Bangkok Post.

AVM Amorn Chomchoey, deputy secretary-general of the NCSA, said there are some 60 CII-linked organisations in the country.

The seven aspects of CII defined by the Cybersecurity Act concern national security, significant public service, banking and finance, information technologies and telecommunication, transportation and logistics, energy and public utilities, and public health.

Over the past year, the NCSA has provided details of the baseline security framework for CII-linked organisations through a cyberclinic programme and various events, he said.

About 30% of the CII-linked enterprises are ready to comply with the regulation, said AVM Amorn. The agency will assess how these organisations comply during the first three months of the law being put into effect.

Some sectoral CERTs have been established, including TB-CERT (Thailand Banking Sector CERT), Thailand Telecommunication CERT (TTC-CERT) and Thai Capital Market CERT (TCM-CERT).

For the government agencies, the organisations which are ready for the law's critical requirements include the Comptroller-General's Department, Revenue Department, Civil Registration Office, and army, AVM Amorn said.

The NCSA will cooperate with the Office of the Permanent Secretary of the Ministry of Public Health to establish a "Health CERT" and support the Mor Prom app, which records the vaccination history of each individual.

"Collaboration is needed among those in the public health sector as they have a huge record of sensitive data that can affect people's lives," said AVM Amorn. "In some hospitals, there are only five IT staff to oversee 700 computers."

The NCSA is also scaling up efforts to produce cybersecurity personnel by helping people obtain the Certified Information Systems Security Professional (CISSP), a globally recognised certification for information technology security professionals.

The agency provides a scholarship for people who want to be trained for the CISSP test, and 30 people have passed the criteria for this scholarship.

Some 300 people in Thailand have obtained CISSPs.

According to AVM Amorn, the NCSA will work with the Council of University Presidents of Thailand to usher in a bachelor's degree for cybersecurity and coordinate with the Office of the Basic Education Commission to introduce cybersecurity literacy in schools.

The agency will also work with the Office of the Personal Data Protection Commission to ramp up public awareness of cyberdefence and data privacy protection.

"If we have better protection, it will minimise the impact of a data breach," AVM Amorn said.

He said the NCSA is now in the process of establishing "National CERT", replacing existing ThaiCERT, in line with the Cybersecurity Act.

Mr Paiboon added that the country now has a complete range of legal mechanisms that can help tackle hacking and online fraud, through four laws -- the Computer-Related Crime Act, Personal Data Protection Act, Cybersecurity Act and the Digital ID Act.

Do you like the content of this article?