True Information Security Policy

1. Purpose
The purpose of the master information security policy is to provide the direction for safeguarding information asset belonging to the True Corp, its subsidiaries and stakeholder (third parties, clients or customers and the general public), within a secure environment.

This Policy informs the True Corp and its subsidiaries 's staffs, IT entities and information system owners, and other individuals entitled to use True Corp and its subsidiaries 's facilities, of the principles for governing information security

The goals of safeguarding information asset include:
• Information asset will be protected against unauthorised access or misuse
• Confidentiality of information will be secured.
• Integrity of information will be maintained.
• Availability of information asset will be maintained for service delivery
• Business continuity planning processes will be maintained.
• Regulatory, contractual and legal requirements will be complied with.
• Physical, logical, environmental and communications security will be maintained.
• Infringement of this Policy may result in disciplinary action or criminal prosecution.
• When information is no longer of use, it is disposed of in a suitable manner.
• All information security incidents will be reported to assigned entity, and investigated through the appropriate management channel.

Information asset relates to:
• Electronic information systems (software, computers, and peripherals) owned by True Corp and its subsidiaries whether deployed or accessed on or off True Corp and its subsidiaries 's network.
• The computer network used either directly or indirectly.
• Hardware, software and data owned by the True Corp and its subsidiaries
• Paper-based materials.
• Electronic recording devices (video, audio, CCTV systems).

2. The Policy
True Corp and its subsidiaries require all users to exercise a duty of care in relation to the operation and use of its information systems.

2.1 Authorised users of information systems
All users of True Corp and its subsidiaries' information systems shall be formally authorised by its IT entity. Authorised users will be in possession of a unique user identity. Any password associated with a user identity shall not be disclosed to any other person.

Authorised users will pay due care and attention to protect True Corp and its subsidiaries 's information in their personal possession. Confidential, personal or private information shall not copied or transported without consideration of:
• permission of the information owner
• the risks associated with loss or falling into the wrong hands
• how the information will be secured during transport and at its destination.

2.2 Acceptable use of information systems
Use of True Corp and its subsidiaries 's information systems by authorised users will be lawful, honest, decent and shall have regard to the rights and sensitivities of other people.

2.3 System Owners
System owners who are responsible for information systems are required to coordinate with its IT entity to ensure that:
1. Systems are adequately protected from unauthorised access.
2. Business Continuity Plan is in place and be ready to ensure the availability of the key business information system.
3. System can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system.
4. Data is maintained with a high degree of accuracy and quality
5. Transfer of confidential data via Internet websites must be protected.
6. System owner shall use the approved cryptographic techniques to ensure secrecy and integrity of data.
7. Systems are developed securely and met their intended purpose.
8. Electronic data, including, personal data, transaction data, audit trail and access logs are only retained for a justifiable period to ensure compliance with relevant laws and True Group standard.
9. Third parties that access to True Corp and its subsidiaries ‘s data or provide services to True Corp and its subsidiaries should understand their responsibilities with respect to maintaining its security.

2.4 Operations
Each IT entity of True Corp and its subsidiaries is responsible for all related operation tasks in its responsible area. The IT entity shall ensure that
1. Changes in data and system configuration are controlled.
2. Vulnerabilities related to system and infrastructure are managed and monitored
3. Disaster recovery plan is in place and be ready to restore data to a level commensurate with its importance.
4. Electronic data backup should be kept and be ready for restoration
5. Strong authentication system is in place to authenticate the authorized person
6. IT assets are secured against theft and physical damage
7. Support IT governance, IT risk management and IT compliance activities

2.5 Access Control
True Corp and its subsidiaries operate on the principle of 'least privilege' for access control. This is to ensure that only authorized individuals are permitted access to our business applications, systems, networks and computing devices; that individual accountability is established and to provide authorized users with the access permissions that are sufficient to enable them to perform their duties but do not permit them to exceed their authority

2.6 Personal Information
Personal information must be protected from any harms. Duly authorised officers of the True Corp and its subsidiaries may access or monitor personal data contained in own information system.

2.7 Communications and Operations Security
A defence-in-depth approach shall be implemented to protect True Corp and its subsidiaries information asset from existing and emerging threats. The security related operations such as back-up and recovery, change management, release management and capacity planning shall be delivered by experienced IT officers. Security monitoring shall be performed to detect any unusual or suspicious events and trigger the information security incident response team to handle the incident.

Remote access to the True Corp and its subsidiaries network is only permitted for preauthorized employees using a True Corp managed asset. This is achieved using an encrypted VPN solution that performs security validation checks against the asset and is supported by multi-factor authentication.

2.8 Individual in breach of this policy
Individuals in breach of this policy are subject to disciplinary procedures and legal actions. True Corp and its subsidiaries will take legal action to staffs or third parties to ensure that its information systems are not used by unauthorised persons.

3. Ownership
3.1 IT Senior management of True Corp and IT senior management of each subsidiary have direct responsibility for maintaining this policy in their managing areas. All IT entities and Information system owners are responsible for the implementation of this policy within their area, and to ensure adherence.

We may update this security policy from time to time according to our security practices and compliance with the relevant law.

We reserve the right to update this security policy on our websites without prior notice.

The lists of the True Group of companies are Asia Wireless Communication Co., Ltd., Bangkok Inter Teletech Public Company Limited, BFKT (Thailand) Limited, Chiwiborirak Co., Ltd., Seekone Holding Company Limited, Seekster Co., Ltd., Seekforce Co., Ltd., Cineplex Co., Ltd., WorldPhone Shop Company Limited, TAC Property Company Limited, dtac TriNet Company Limited, DTAC Broadband Company Limited, dtac Accelerate Company Limited, dtac Digital Media Company Limited, TeleAssets Company Limited, Hutchison Wireless MultiMedia Holdings Limited, Internet Knowledge Service Center Co., Ltd., KSC Commercial Internet Co., Ltd., MKSC World Dot Com Co., Ltd., SM True Co., Ltd., True Corporation Public Company Limited, Telecom Asset Management Co., Ltd., Telecom Holding Co., Ltd., Thai News Network (TNN) Co., Ltd., True Digital Group Co., Ltd., True Digital Park Co., Ltd., True Distribution and Sales Co., Ltd., True4U Station Co., Ltd., True Incube Co., Ltd., True Internet Corporation Co., Ltd., True Life Plus Co., Ltd., True Media Solutions Co., Ltd., True Move Co., Ltd.,True Move H Universal Communication Co., Ltd., True Multimedia Co., Ltd., True United Football Club Co., Ltd., True Visions Group Co., Ltd., True Voice Co., Ltd., Gold Palace Investments Limited,Golden Light Co., Ltd., Goldsky Co., Ltd., K.I.N. (Thailand) Co., Ltd., Mediaload Pte. Ltd., Mediaload (Cambodia) Co., Ltd., Mediaload Myanmar Co., Ltd., Two Way PR Co., Ltd. "True Internet Technology (Shanghai) Company Limited ", True Trademark Holdings Company Limited, Crave Interactive Limited, Crave Interactive B.V., Crave Interactive Inc., PT True Digital Indonesia, True Digital Philippines Inc., True Digital Vietnam Joint Stock Company, Zapgroup Inc.

As at present, the Information Security Policy has been last reviewed on 13 June 2023