ThaiBev uses the latest Zero Trust security strategy, treating every attempt to gain access to the network
or IT infrastructure as a threat and not trusting
anyone inside or outside the network unless their
identity is verified through authentication. Multi-Factor
Authentication (MFA) and Two-Factor Authentication (2FA) are used to provide stronger and more efficient authentication.
ThaiBev conducts Vulnerability Testing to identify
the system weaknesses or flaws that unauthorized
parties might exploit. This proactive approach allows
administrators to address vulnerabilities before
a problem occurs.
- Vulnerability assessment has been conducted and vulnerabilities have been remediated.
- Vulnerability scanning: VA scan reports are provided to system/service owners.
- Remediation: At the completion of each vulnerability scan, system/service owners must review the vulnerability report and ensure that vulnerabilities are remediated.
- Risk-compensating controls shall be performed if applicable.
The purpose of the scan is to identify vulnerabilities in 561 IT assets. The audit results are presented using Tenable software.
The vulnerability scan revealed 109 unique vulnerabilities across 39 assets, categorized by critical, high, medium, and low severity levels, as shown in the table below.
ThaiBev conducts penetration testing by authorized
cybersecurity experts to identify vulnerabilities in
network systems, software, applications or devices.
Pen testing enables us to strengthen any weaknesses and reduce the risk of unauthorized access or attacks.
ThaiBev manages public-facing parts of its computer systems and networks to prevent unauthorized access. Tools like Security Scorecard help monitor risks and
vulnerabilities in externally accessible systems and
protect confidential user data from exposure.
This approach provides a comprehensive view of all assets and potential vulnerabilities, facilitating quick remediation.
ThaiBev develops the cybersecurity of its operational networks, especially critical systems like production
line control and machinery management, with a focus on protecting control systems and networks from
attacks, network segmentation, surveillance, and
real-time monitoring of network activities in order
to detect and respond to anomalies. This ensures
the continuity of production operations.
ThaiBev has adopted a robust cybersecurity strategy that not only identifies and addresses vulnerabilities but also continually strengthens our security posture against potential threats. Accordingly, we conduct
ongoing external and internal audits of IT systems
and networks on a regular basis to ensure that they
have the highest level of security and resilience.
- Independent audits shall be performed at least annually to ensure that the organization addressesnonconformities with established policies, standards, processes, and compliance obligations.
- Audit plans shall focus on reviewing the effectiveness of security operations implementation.
- The internal audit results comply with the requirements of the ISO/IEC 27001:2022 standard.
- External Audit – Overall Conclusion:The overall management system has been effectively implemented and is properly operated to ensure the achievement of its intended outcomes and In the past year, it has been certified by BSI.
The objective is to bring additional value by keeping the services uninterrupted in the event of a disaster and to maintain the availability targets as agreed.
- Initiation Phase:Define the scope of the policy, allocate necessary resources, and establish the project and control structure.
- Requirements, Strategy, and Tactics:Business Impact Analysis (BIA), selection of continuity/recovery strategies, risk assessment, and risk treatment planning
- Implementation Phase:Develop the Service Continuity Plan (SCP) and implement the selected continuity and recovery strategies.
- Ongoing Operation and Testing:Education, awareness, and training; review, testing, and change control.
Maintain test records and conduct testing of the Service Continuity Plan at least twice a year to ensure its effectiveness and readiness.During the recent test, the Active Directory (AD) server was activated at the DR Site (STTGDC), and a Service Core Switch failure was simulated at The PARQ-QSR.
All staff involved demonstrated an understanding of the Business Continuity Plan (BCP), and testing results were documented.
Recommendations for improvement were identified to address any observed weaknesses and enhance the continuity response.
Maintaining personal data privacy is important both
to engender trust and to comply with regulations.
Last year, ThaiBev’s legal department developed
a privacy manual for all affiliated companies, written
in easy-to-understand language, which is available on the company’s internal website.
ThaiBev’s Personal Data Privacy communication
channels for stakeholder inquiries and complaints
are well maintained, with conclusions reviewed
by executive management in every case.
Information Security Incident Response Process – ensure a consistent and effective approach to managing and responding to information security incidents and events.
- Communication Strategy Information security events shall be reported , recorded and applicable legal, statutory, or regulatory compliance obligations.
- Criteria for Classifying High-Severity Information Security Incidents
- Monitoring of Reported Security Incidents
- Information Security Incident Response
- The testing process must be conducted at least once a year.
- Service Improvement Through Knowledge Gained from Information Security Incidents
Measurement and Reporting: Information security event reports must be
responded to promptly