BUSINESS OPERATION AND PERFORMANCE CORPORATE GOVERNANCE FINANCIAL REPORTS AND FINANCIAL STATEMENTS APPENDIX According to the GCMS implementation plan, GC will use GCMS as a framework for internal assessment in 2022 and will expand to GC’s subsidiaries from 2023 onwards. (3) IT Governance GC adopted GCMS, which is its integrated management system, as well as COBIT 5 (IT Framework), TQA (Thailand Quality Award) and GC Way of Conduct as frameworks for establishing its IT standards, which place emphasis on various aspects of IT systems, namely the quality, security, and availability of data and information, the specifications of hardware and software, cybersecurity, and availability in case of emergency. The management is divided into three levels as follows: Governance Level GC Group’s Digital and IT Steering Committee (DISC) is responsible for defining the group’s digital and IT direction, policies, and goals to ensure uniformity and the level of standard comparable to that of leading international companies in the same industry, with the Chief Executive Officer and President serving as the chairmen of DISC. The Digital & IT Investment Management Committee (DIM) consists of DIM1, responsible for reviewing investments worth over Baht 10 million but not exceeding Baht 300 million, and DIM2, responsible for reviewing investments worth under Baht 10 million. The Information Safety and Security Committee (ISMS Committee) is charged with ensuring that GC’s information security, cybersecurity, and cloud security are consistent with international standards. The Enterprise Architecture Committee (EA Committee) is charged with the management of the Company’s IT structure to ensure its alignment with usage requirements and currency as well as maximum benefits in use. The Chief Information Security Officer (CISO) has duties to set target and security maintenance policies to be in line with the strategies and plans of the Company, develop IT security policies, standards, procedures and guidelines to ensure that the Company can maintain confidentiality of information, integrity of information and IT system availability, and controlling and reporting cyber attack incidents to the Executives and the National Cyber Security Agency. Management Level Establishing data and information management pol icies, such as informat ion securi ty ( IS) , cybersecurity policy, cloud security policy, and service level agreement (SLA), Secure System Development Life Cycle (SSDLC) and Data Protection. Adopting the ISO Series (ISO 27001, ISO 27701 and ISO 22301) as compliance framework and control for users to ensure the accuracy and availability of data and information; and introducing internal and external audit systems to the audit and review of its processes to ensure the accuracy, reliability, and integrity of the data and information. Operation Level Establishing systems, procedures, and services for users; publishing and storing them on the internet as reference for users; and sending out IT updates via email every two weeks, except emergencies, for which users will be given an immediate notification. Tracking progress and using the results to further improve the Company’s IT management and services; overseeing and keeping IT security up to date; and reporting progress to Executives and responsible Sub-committees regularly. Assessing IT resource risk every year to ensure the resources are sufficient to protect the accuracy, integrity, reliability, and currency of data and information. Additionally, GC has carried out the following activities in relation to IT management: Data and Information Security: GC has implemented a data and information security system that uses ISO 27001 as framework. A real-time monitoring system is also employed to review risks related to IT threats on a monthly basis. Data and Information Availability: GC has established data and information usage plans in line with its corporate strategic plans and surveyed the needs of all business groups to formulate IT strategic plans. In addition, a data recovery site (DR Site) has been set up for 24-hour backup of important information, which can be readily retrieved. The Company has also formulated disaster recovery plans for the main data system in accordance with business cont inui ty management standards (ISO 22301), along with recovery procedures for handling an emergency that impacts the main data system. Additionally, IT Disaster Recovery Drills are conducted every year. 181