Information Security Standard Operating Procedures

INFORMATION SECURITY
STANDARD OPERATING
PROCEDURES
(IS-SOP)
PRECIOUS SHIPPING PUBLIC COMPANY LIMITED INFORMATION SECURITY SOP
GREAT CIRCLE SHIPPING AGENCY LIMITED Established June 2022
© COPYRIGHT
PRECIOUS SHIPPING PUBLIC COMPANY LIMITED 2022
This document is not to be reproduced in whole or in part without the prior

written permission of Precious Shipping Public Company Limited
(hereinafter referred to as The Company). The information contained
herein is the property of The Company and is to be used only for the
purposes for which it is submitted and is not to be released in whole or in
part without prior written permission of The Company.
IS-SOP published June 2022 Internal Use Only

TABLE OF CONTENTS
SECTION NO. SECTION TITLE
COVER PAGE
COPYRIGHT
TABLE OF CONTENTS
READER’S ACKNOWLEDGEMENT & AMENDMENT RECORD
POLICY STATEMENT FROM MANAGEMENT
SECTION 1 THE ORGANISATION
SECTION 2 INFORMATION SECURITY MANAGEMENT SYSTEM

READER’S ACKNOWLEDGEMENT
All employees shall indicate, by signing below, that they have read and understood the contents of this Manual.
Record of only current employees need to be available.
Date Name Designation Signature

READER’S ACKNOWLEDGEMENT
All employees shall indicate, by signing below, that they have read and understood the contents of this Manual.
Record of only current employees need to be available.
Date Name Designation Signature

INFORMATION SECURITY STANDARD OPERATING PROCEDURES
AMENDMENT RECORD
AMENDMENT AMENDED CONTENTS / PAGE NO INITIALS OF IT HOD

DATED SECTION NO:
JUNE 2022 NEWLY ESTABLISHED
REVISION 01

POLICY STATEMENT FROM THE MANAGEMENT
Information security management system is integral to Precious Shipping Public

Company Limited’s operation. We strive to assure integrity of all information we
collect, produce, manage, disseminate or store. All critical data will be handled
through sound confidentiality procedures. This policy aims to protect our information
assets from any internal, external, deliberate or accidental threats. To pursue the
policy, we shall:
 ensure that all information, including internal, third party, personal and
electronic data, is treated with complete confidentiality;
 maintain integrity of all such information;
 ensure that our information system and the information contained meet the needs
of our core and supporting business operations;
 comply with all applicable statutory and regulatory requirements;
 safeguard security of our information assets through effective business continuity
management;
 make information available to staff and the public with minimum disruption;
 increase staff awareness of information security management through education
and training;
 perform reliable access control to protect our information system against
unauthorized access.
Under this policy:
 All breaches of information security, actual or suspected, will be reported to and

investigated by authorized persons including System Administrator and Incident
Investigator by following procedures laid out in our Incident Handling Plan;
 IT Department is responsible for documenting and maintaining the Information
Security Management System;
 Information Security documents not limited to Policies, Procedures and
Guidelines will be made available in both hardcopy and online format through
an intranet system to support the ISMS Policy;
 All department heads shall implement the policy within their units and ensure
that every staff member adheres to the policy.
This policy has been approved by the Managing Director and Executive Directors. It
will be reviewed, and if necessary revised, annually to keep up to date and such
revisions will be promptly communicated to all users. We welcome interested parties’
comments on the enforcement of the policy and the policy itself.

THE ORGANISATION
CONTENTS
1.1 INTRODUCTION
1.1.1 Overview
1.1.2 Availability And Distribution Of Company’s Manuals
1.1.3 Information Security Management System Standard
1.1.4 Management’s Responsibility Towards ISMS
1.2 ORGANIZATION
1.2.1 Precious Shipping Public Company Limited (The Company)
1.3 SPHERES OF RESPONSIBILITY FOR MANAGEMENT TEAM

1.3.1 Managing Director
1.3.2 Head of IT Department
1.3.3 Senior Manager, IT
1.3.4 Assistant Manager, IT
1.3.5 IT Supervisor
Heads of Department (Technical, Commercial, Accounting, Finance, Legal,
1.3.6
Purchase and Human Resources)
1.4 SPHERES OF RESPONSIBILITY FOR SPECIALIST FUNCTIONS

1.4.1 Quality System Manager for Information Security (QSM)
1.4.2 Auditors
1.4.3 Insurance & Claim Manager (ICM)
1.5 COMPANY ORGANOGRAM
1.6 Senior Manager (IT) Monthly Report
2.1 INTRODUCTION TO THE DOCUMENTATION SYSTEM

2.2 STANDARD OPERATING PROCEDURES
2.3 NON-CONFORMANCES AND CORRECTIVE ACTIONS
2.4 AUDITS
APPENDIX A

1.1 INTRODUCTION
1.1.1 OVERVIEW
Precious Shipping Public Company Limited (PSL) is a pure dry cargo ship-owner operating
in the Handysize, Supramax and Ultramax sectors of the tramp freight market. PSL was
established in December 1989 and commenced commercial operations in March 1991, after
obtaining the approvals from the Bank of Thailand and the Board of Investment. PSL was
granted “listed” status on the Stock Exchange of Thailand on the 16th of September 1993.
Great Circle Shipping Agency Limited (GCSHIP) was established in Bangkok, Thailand in
1988 and, is in the business of Ship Management services, providing full technical and
manning services to our exclusive principals, Precious Shipping PCL, Bangkok, Thailand
who have entrusted all their owned vessels to us. GCSHIP and PSL are located at the same
premises. GCSHIP is a fully owned subsidiary company of PSL. Our objective is to provide
PSL and other customers with safe, reliable, efficient, environmentally friendly and quality
services, which meet the agreed specifications and shall always strive to improve our services.
The Company has established Information Security Management System (ISMS) based on the
ISO’s Information Security Management System (ISO/IEC 27001:2013). The Company’s
ISMS include Standard Operating Procedures, Incident Handling Plan and IT Policy and
Procedures.
INFORMATION SECURITY REQUIREMENTS
Information Security requirement are collectively specified by the following instruments:
1. Policy Statement from the Management

2. Information Security Management System (ISO/IEC 27001:2013).
3. Standard of Good Practice (SOGP), Information Security Forum
4. NIST Special Publications (800 Series), NIST Computer Security Division
5. Industry guidelines and standard practices.
6. IMO resolutions on cybersecurity, MSC.428(98)
1.1.2 AVAILABILITY AND DISTRIBUTION OF COMPANY’S MANUALS
The working language, understood by all key personnel is English. Therefore, the Company's
Information Security Management System documentation is in English language. In order to
prevent users from following obsolete or out-of-date systems, procedures, or instructions,
only Controlled Copies of this manual are held with the IT Department and on Company’s
Intranet site which is accessible to all.
It is the wish of the Company that all employees familiarise themselves with the contents of
each manual in the Information Security Management System, thus helping the Company to
achieve its Information Security objectives. Department heads must actively encourage its use
as a source of reference.

Electronic version with latest revisions will be available at

(https://preciousshipping.sharepoint.com/sites/pslintranet/).
1.1.3 INFORMATION SECURITY MANAGEMENT SYSTEM STANDARD
Means the international Standard as laid down in ISO/IEC 27001:2013. This standard applies
the high-level structure, identical sub-clause titles, identical text, common terms, and core
definitions with other management system standards to maintain compatibility.
ELEMENTS OF THE ISMS STANDARD

PART A - IMPLEMENTATION
1. GENERAL - DEFINITIONS, OBJECTIVES, APPLICATION &
FUNCTIONAL REQUIREMENTS FOR AN INFORMATION SECURITY
MANAGEMENT SYSTEM.
2. COMPANY RESPONSIBILITIES AND AUTHORITY.
3. RESOURCES AND PERSONNEL
4. OFFICE OPERATIONS.
5. MAINTENANCE OF THE SYSTEM AND EQUIPMENT.
6. BACKUP PROCEDURES.
7. INCIDENT HANDLING.
8. REPORTS AND ANALYSIS OF NON-CONFORMITIES, INCIDENTS.
9. EMERGENCY PREPAREDNESS.
10. DOCUMENTATION.
11. COMPANY VERIFICATION, REVIEW AND EVALUATION.
PART B - CERTIFICATION AND VERIFICATION

12. CERTIFICATION AND PERIODICAL VERIFICATION.
13. INTERNAL REVIEW AND AUDITS
14. FORMS.
Primary Objectives
 Safeguarding the accuracy and completeness of all information assets

 Ensuring that the information is not made available or disclosed to unauthorized
individuals, entities, or processes
 Ensuring that the information is accessible and usable upon demand by an authorized
user
1.1.4 MANAGEMENT’S RESPONSIBILITY TOWARDS ISMS
Management’s responsibility to the company ISMS is briefly summarised under the following
category of functions:
• To determine the boundaries and applicability of the information security management
policy to align with the strategic direction of the organization.
• Ensuring the integration of information security management system requirements into
the organizations processes
• Ensuring that the resources needed for implementing the information security
management system are made available
• Communicating the importance of effective information security management system

to other relevant management roles to apply to their areas of responsibility
• To identify interested parties that are relevant to the information security management
system
• To determine the requirements of such interested parties relevant to information security
management system
• Ensuring that the information security management system achieves its intended
outcome by conducting periodical reviews
• Promoting continuous improvement.
1.1.4.1 IMPLEMENTING
IT Department is responsible for implementing Company’s ISMS by conducting staff training

& educating them about Company’s ISMS policies and Standard Operating Procedures. The
heads of department shall ensure that all employees under them read this manual and the
Readers Acknowledgement sheet at the beginning of each manual is signed to indicate that
the manual has been read and understood. This IS-SOP manual has been designed to assist
users with the standards of information security management the Company has set and
understand the implications of breaching these policies.
These manuals are also provided in soft copies at the company’s intranet website at
https://preciousshipping.sharepoint.com/sites/pslintranet/
1.1.4.2 MONITORING THE SYSTEM
Head of IT Department is responsible to continuously monitor the effectiveness of the ISMS

and identify areas that need to be improved. This is achieved by (but not limited to) the
following:
 Identifying any Non-Conformances
 Periodical review by users of the ISMS
 Evaluation of drills and awareness trainings.
 Investigation of incidents.
1.1.4.5 REVISION AND AMENDMENTS
This manual is subject to Document Control procedures stated below.
Company information security policy and operating procedures are constantly under
review, necessitating amendments to all manuals from time to time. If several amendments
have been carried out, complete manual will be revised and issued as a new edition when
deemed necessary. Each document holder will be notified of any important changes by
various means of communication such as Email or circulars in the first instance. Amended
sections of the relevant manual are issued subsequently. All amendments carried out in the
manuals will be recorded in the amendment record sheet.
All employees are encouraged to recommend amendments or improvements to the

company information security procedures and the information security management
system. Form ITS029 should be used to send feed backs to the IT Department. Head of IT

Department shall review these suggestions to carry out amendments and revisions to ISMS
when required. A summary of all reviews received from users are prepared annually and
circulated to employees with comments of the company where necessary.
1.2 ORGANISATION
1.2.1 Precious Shipping Public Company Limited (The Company)
Precious Shipping Public Company Limited (The Company) is headed by a Managing

Director (MD) charged with statutory responsibilities.
The Managing Director has entrusted the responsibility of the Company’s functions to the
Executive Directors who are in turn assisted in accomplishing their duties and responsibilities
by the Heads of various departments. The organization consists of highly skilled, experienced,
and motivated professionals, who assist the Managing Director. These personnel are
committed to the Company’s ISMS and ensure Safe Operations consistent with the statutory
rules & regulations, ISO 27001:2013 Standards, best industry practices. The Company’s
Organization chart can be found at the end of this section.
1.3 SPHERES OF RESPONSIBILITY FOR THE MANAGEMENT TEAM
1.3.1 Managing Director (MD)
The MD is ultimately responsible for the Company's Information Security Management

System (ISMS) and the establishment and observance of the Company's Information Security
Policy by all employees.
1.3.2 Head of IT Department (MR)
The performance of the policy is the prime responsibility of the Head of IT Department. He
is the Management Representative (MR) for the ISMS. He ensures and verifies that all
Company operations fully conform to the Company's ISMS. MR is responsible to the
Managing Director (MD) and his responsibilities include:
a) Administering and monitoring the Company’s Information Security policies as
documented in the Information Security Management System Policy manual.
b) Ensure that the Company has the necessary expertise, both commercially and
technically, to sustain all its actual or projected activities.
c) Ensuring that the duties and responsibilities identified for all personnel described in
the ISMS are observed.
d) Planning major upgrades
e) Preparation and controlling of budgets.
f) Reporting relating to the performance and running costs to higher management.
g) Authorization of expenditure for purchases of hardware, software, licences Etc.
h) Project and modification studies, preparation of budgets and executing such work on
receiving approval from the management.

i) Dealing with any incidents of non-conformance and security breaches, analysing root
cause, and implementing corrective and preventive actions.
j) Authorization of the appointments of service providers.
k) Take active participation in periodical management review and initiate necessary
actions.
l) Incorporate Risk based thinking into the organisation’s culture.
1.3.3 Senior Manager, IT (SM)
The prime responsibility of Senior Manager is to assist and depute MR in all matters related
to the company’s information security policy and procedures. SM is a suitably qualified and
experienced subject matter expert, who is well versed in the organization’s processes.
He ensures and verifies that all information services provided to the users fully conform to
the Company's ISMS. SM is responsible to the Management Representative (MR). SM is
assisted by the other members of the IT department. His responsibilities may include but
not limited to following:
Planning major upgrades
b) Preparation and controlling of budgets.
c) Project and modification studies, preparation of budgets and executing such work on
d) Dealing with any incidents of non-conformance and security breaches, analysing root
cause, and implementing corrective and preventive actions.
e) Manage and Maintain IT Infrastructure including Company ERP.
f) Manage and Maintain IT Business Continuity
g) Manage other IT Staff by recruiting, training and communicating job expectations
h) Assess Vendor and procurement.
i) Troubleshoot hardware and software issue related to IT
j) Send Monthly IT Report to MR monthly basis.
k) Project and modification studies, preparation of budgets and executing such work on
l) Taking active part in the Management reviews and taking actions as deemed
necessary.
m) Ensuring that for any non-Conformities pointed out, proper and timely corrective
action is taken. Preventive measures are put in place to avoid reoccurrence.
n) Ensuring Risk based thinking into the organisation is followed by assigning
responsibilities and authorities for risk and opportunity management activities.
o) Risk Register and Opportunities for Improvements are identified and maintained
within the department under him in the organisation.
1.3.4 Assistant Manager, IT (AM)

AMs comprise of persons familiar with subject matter, qualified, experienced, and well
versed in the organization’s processes.
The AM is responsible to the SM and shall ensure that duties assigned to him, are carried
out in a safe, efficient and timely manner, in compliance with all applicable national and
international rules & regulations and are in conformity with the company’s ISMS policies.
The AM is in-charge of day-to-day functions assigned to him. His duties and responsibilities
are not limited to but include following:
1. Manage and Maintain IT Infrastructure including Company ERP
2. Manage and Maintain IT Business Continuity.
3. Manage and Maintain IT Asset
4. Assess Vendor and Procurement.
5. Troubleshoot hardware and software issue related to IT
6. Monitor and Maintain Backup System for Company.
7. Monitor the system daily
8. Other tasks assigned by MR or SM.
1.3.5 IT Supervisor
IT Supervisor provides support to the whole IT Team as required. He is experienced, and

well versed in the organization’s processes.
The IT Supervisor is in-charge of day-to-day functions assigned to him. His duties and
responsibilities are not limited to but include following:
1. Manage and Maintain IT Infrastructure
2. Manage and Maintain IT Asset
3. Troubleshoot hardware and software issue related to IT.
4. Monitor and Maintain Backup System for Company.
5. Procurement.
6. Monitor the systems daily.
7. Ensuring that all installations, maintenance and upgrade meet to client specifications.
8. Other tasks assigned by MR or SM.
1.3.6 Heads of Department (Technical, Commercial, Accounting, Finance, Legal, Purchase

and Human Resources)

b) Ensuring that the duties and responsibilities identified for all personnel described in the
ISMS are observed as per the Company’s Information Security Standard Operating
Procedures
c) Take active participation in periodical management review, give suggestions for
improvement, and initiate necessary actions.
d) Incorporate Risk based thinking into the organisation’s culture.

1.4 SPHERES OF RESPONSIBILITY FOR SPECIALIST FUNCTIONS
1.4.1 Quality System Manager for Information Security (QSM)
The Quality System Manager has the defined authority and responsibility of:
a. Monitoring the Company’s ISMS.
b. Monitor and maintain records of Non-Conformance’s reported and follow-up of the
Corrective Actions.
c. Analysis of Non-conformities
d. Periodically review the effectiveness of the safety management system
The QSM is responsible to the Internal Audit Manager.
1.4.2 Auditors
Auditors are trained and well experienced in organization’s processes and have defined
responsibility for:
a. Conducting annual internal audits in the company.
b. Co-ordinating and attending external assessments of the company.
c. Assisting QSM to accomplish responsibilities.
The Auditors are responsible to the QSM and MD.
1.4.3 Insurance & Claim Manager (ICM)
The ICM is responsible to the MD. He co-ordinates and advises MD on all matters relating
to Cyber Risk Insurance.
1.5 COMPANY ORGANOGRAM

1.6 Senior Manager (IT) Monthly Report
At the end of each month, the SM shall send following report to the MR outlining:
1. Windows Update System Management.
2. Antivirus Management.
3. Backup System Management.
4. Email System Management.
5. Server Management
6. Areas of Concern and recommendations
Effectively anything that the SM thinks will help in implementing the company’s ISMS policy
in a more efficient and cost-effective manner in the future.
2.1 INTRODUCTION TO THE DOCUMENTATION SYSTEM
The Company’s Information Security Management System has been prepared in accordance
with the requirements of ISO 27001:2013 and the relevant manuals listed below are controlled
by the Company
Level Title of Manual Location
1 Information Security Management System Policy IT Department

Manual

2 Information Security Standard Operating Procedures IT Department

Manual
3 Incident Handling Plan IT Department
4 Backup Policy and Procedures Manual IT Department
5 ISMS Scope Document IT Department
6 Company Information Classification Guideline IT Department
7 Disaster Recovery Plan IT Department
8 ISO 27001 SOA IT Department
9 Risk Management Procedure IT Department
10 Removable media management Policy IT Department
11 Secure Configuration Guide IT Department
12 IT Asset Control and Disposal Policy IT Department
13 Information Security Policy Brief for New employee IT Department
The Information Security Policy Manual contains the Company policies in compliance with
the standards of ISO 27001:2013 and general good practices. The Information Security
Standard Operating Procedures Manual contains details of the procedures that the Company
operates and maintains, in order to effectively implement the company’s policies.
The Company's Policies cover the following principal areas of information security:
 Scope
 Terms and Definitions
 Context of the Organization
 Leadership
 Planning
 Support
 Operations
 Performance evaluation
 Improvement
Title of Manual and Sections Section

2.2 STANDARD OPERATING PROCEDURES
Reporting Structure
Account Management SOP Chapter 1

Backup Procedures SOP Chapter 2

Data Changes SOP Chapter 3
Email SOP Chapter 4
IT Incident Management SOP Chapter 5
Internet SOP Chapter 6
Intrusion Detection SOP Chapter 7
Information Security Privacy SOP Chapter 8
Network Access Security SOP Chapter 9
Network Configuration Security SOP Chapter 10
Passwords SOP Chapter 11
Physical Access SOP Chapter 12
Mobile Computing Devices SOP Chapter 13
Security Monitoring SOP Chapter 14
Security Awareness Training SOP Chapter 15
Software Licenses SOP Chapter 16
System Upgrades and Maintenance SOP Chapter 17
Vendor Access SOP Chapter 18
Anti-Virus SOP Chapter 19
Digital Information Storage SOP Chapter 20
The Acceptable Use Of Company Equipment, Mobile SOP Chapter 21
Devices, Printers, Copiers, Paper Documents And Bulletin
Boards
Cryptography SOP Chapter 22
Privilege Accounts SOP Chapter 23
Document Management SOP Chapter 24
Clear Desk Clear Screen SOP Chapter 25
SOP CHAPTER1: Account Management
Issuing a User Account ID for new employee

After the employment contract and secrecy agreement has been signed, the HR Department shall follow
the process as below.
- Use ITS014 User Access Request Form and get the approval from Head of Department.
- New employee shall complete the Information Security Awareness Training provided by IT
Department prior to being issued with a user ID.
- IT Department in liaison with the relevant Head of Department must ensure that access to the
Company Information and Services is be granted based on the individual’s job duties and
responsibilities.
- The form is to be kept with the HR Department with a record of “ITS004 File Index Form”
For change of role within the organization, HR Department shall follow the process as below.

- Use ITS014 User Access Request Form and get the approval from Head of Department which
employee will be transferring to.
- The IT Staff ensure that the employee will no longer have access to information assets that are
not required in the new role and department and has been given access to information assets
needed for the new role and department.
- Send copy form back to HR Department and keep in binder with record of “ITS004 File Index
Form”
When the employee retires, resigns or is terminated from Company employment, the HR Department
shall do following process.
- Shall document the form ITS014 User Access Request Form and get the approval from Head of
Department.
- The IT department shall ensure that all access rights and privileges for this employee has been
reviewed and revoked at the end of employment date unless an exemption is granted by the
Executive Director.
- Send copy form back to HR Department and keep in binder with record of “ITS004 File Index
Form”
SOP CHAPTER2: Backup Procedures

The IT administrator shall backup all system data regularly and ensure that the backup system is able
to recover all data as designed in case of events such as natural disasters, disk drive failure, data entry
errors or system operations errors.
- The IT Administrator shall process system backup as follows: Daily 5 copies, Weekly 2 copies,
Monthly 1 copy and yearly 1 copy into Tape storage.
- The IT Administrator shall backup the data with encryption provided by the Backup Application.
- The IT Administrator shall monitor the backup system and documented it in the form “ITS001
Form Backup Log” daily and periodically reviewed by IT Manager at least once in a month.
- The IT Administrator or IT Manager shall periodic test to restore the data once in a month and
document this in the form “ITS012 Form Spot Check”.
SOP CHAPER3: Data Changes

Under certain circumstances, the data might need to be changed in the Information system due to
different reasons such as user mistake in data entry. Depending on the permission given, user may be
unable to edit data and shall do the following process to request IT Department to process the changes
to the data.
- The user shall document the form ITS002 Data Change Request Form and get the approval from
Head of Department.
- The IT Administrator having administrative rights would determine the impact of the changes.
- After the change has been effected, IT Administrator shall inform user to check if the correction
has been done properly.
- Record of such changes to be maintained using the “ITS004 File Index Form”

SOP CHAPTER4: Email

Users are provided with Microsoft 365 Email system integrated with Cisco Cloud Secure Email
Gateway to enhance the email security. The IT Administrator shall do the following process.
- Ensure appropriate license is assigned to each user.
- Provide the shared mailbox permission based on need as determined by the head of each
department.
- Implement the two-factor verification method for users to access the email.
- Help user to setup Microsoft Outlook Software for receiving and sending email.
SOP CHAPTER5: IT Incident Management

Whenever any adverse event or security event as described in the “Incident Handling Manual” is
suspected or triggered,
- The procedures detailed in the Incident Handling Plan document will be followed.
- The IT Administrator shall document Form ITS025 “IT Non-Conformance Report” and send to
Head of IT Department for reviewing.
SOP CHAPTER6: Internet

The IT Department provides internet availability to company information asset through LAN Network
or Wireless Network in Company Network Information. The user must follow policies mentioned
under section 2.6 INTERNET POLICY in Information Security Management System Policy Manual.
The IT Department will filter all internet traffic through WatchGuard Firewall. The following
categories and sub-categories will be allowed and blocked.
Category Sub-category Action

Abortion Abortion Allow
Abortion Pro-Choice Allow
Abortion Pro-Life Allow
Adult Material Adult Content Deny
Adult Material Adult Material Deny
Adult Material Lingerie and Swimsuit Deny
Adult Material Nudity Deny
Adult Material Sex Deny
Adult Material Sex Education Deny
Advocacy Groups Advocacy Groups Allow
Bandwidth Bandwidth Allow
Bandwidth Educational Video Allow
Bandwidth Entertainment Video Deny
Bandwidth Internet Radio and TV Allow
Bandwidth Internet Telephony Allow
Bandwidth Peer-to-Peer File Sharing Deny
Bandwidth Personal Network Storage and Backup Allow
Bandwidth Streaming Media Allow
Bandwidth Surveillance Allow
Bandwidth Viral Video Allow

Business and Economy Business and Economy Allow
Business and Economy Financial Data and Services Allow
Business and Economy Hosted Business Applications Allow
Collaboration - Office Collaboration - Office Allow
Drugs Abused Drugs Deny
Drugs Drugs Deny
Drugs Marijuana Deny
Drugs Nutrition Deny
Drugs Prescribed Medications Deny
Education Cultural Institutions Allow
Education Education Allow
Education Educational Institutions Allow
Education Educational Materials Allow
Education Reference Materials Allow
Entertainment Entertainment Deny
Entertainment Media File Download Deny
Extended Protection Dynamic DNS Allow
Extended Protection Elevated Exposure Allow
Extended Protection Emerging Exploits Allow
Extended Protection Extended Protection Allow
Extended Protection Newly Registered Websites Allow
Extended Protection Suspicious Content Allow
Gambling Gambling Deny
Games Games Deny
Government Government Allow
Government Military Allow
Government Political Organizations Allow
Health Health Allow
Illegal or Questionable Illegal or Questionable Deny
Information Technology Computer Security Allow
Information Technology Hacking Deny
Information Technology Information Technology Allow
Information Technology Proxy Avoidance Deny
Information Technology Search Engines and Portals Allow
Information Technology Unauthorized Mobile Marketplaces Allow
Information Technology Web Analytics Allow
Information Technology Web Collaboration Allow
Information Technology Web Hosting Allow
Information Technology Web and Email Marketing Allow
Information Technology Web and Email Spam Allow
Information Technology Website Translation Allow
Internet Communication Internet Communication Allow
Internet Communication General Email Allow
Internet Communication Organizational Email Allow
Internet Communication Text and Media Messaging Allow
Internet Communication Web Chat Deny
Intolerance Intolerance Deny


Job Search Job Search Deny
Militancy and Extremist Militancy and Extremist Deny
Miscellaneous Content Delivery Networks Allow
Miscellaneous Dynamic Content Allow
Miscellaneous File Download Servers Deny
Miscellaneous Miscellaneous Allow
Miscellaneous Network Errors Allow
Miscellaneous Private IP Addresses Allow
Miscellaneous Web Images Allow
Miscellaneous Web Infrastructure Allow
News and Media Alternative Journals Allow
News and Media News and Media Allow
Parked Domain Parked Domain Allow
Productivity Advertisements Allow
Productivity Application and Software Download Deny
Productivity Instant Messaging Deny
Productivity Message Boards and Forums Allow
Productivity Productivity Allow
Productivity Online Brokerage and Trading Allow
Productivity Pay-to-Surf Allow
Religion Non-Traditional Religions Allow
Religion Religion Allow
Religion Traditional Religions Allow
Security Advanced Malware Command and Control Allow
Security Bot Networks Allow
Security Compromised Websites Allow
Security Keyloggers Allow
Security Malicious Embedded Link Deny
Security Malicious Embedded iFrame Deny
Security Malicious Web Sites Deny
Security Mobile Malware Deny
Security Phishing and Other Frauds Deny
Security Potentially Unwanted Software Allow
Security Security Allow
Security Spyware Deny
Security Suspicious Embedded Link Deny
Shopping Internet Auctions Allow
Shopping Real Estate Allow
Shopping Shopping Allow
Social Organizations Professional and Worker Organizations Allow
Social Organizations Service and Philanthropic Organizations Allow
Social Organizations Social Organizations Allow
Social Organizations Social and Affiliation Organizations Allow
Social Web - Facebook Social Web - Facebook Allow
Social Web - LinkedIn Social Web - LinkedIn Allow
Social Web - Twitter Social Web - Twitter Allow
Social Web - YouTube Social Web - YouTube Allow


Society and Lifestyles Alcohol and Tobacco Deny
Society and Lifestyles Blogs and Personal Sites Allow
Society and Lifestyles Gay or Lesbian or Bisexual Interest Allow
Society and Lifestyles Hobbies Deny
Society and Lifestyles Personals and Dating Deny
Society and Lifestyles Restaurants and Dining Allow
Society and Lifestyles Social Networking Allow
Society and Lifestyles Society and Lifestyles Allow
Special Events Special Events Allow
Sports Sport Hunting and Gun Clubs Allow
Sports Sports Allow
Tasteless Tasteless Deny
Travel Travel Allow
Vehicles Vehicles Allow
Violence Violence Deny
Weapons Weapons Deny
SOP CHAPTER7: Intrusion Detection

The Intrusion Detection will be done through the WatchGuard Firewall and Host Sensor application.
It will detect and analyze both inbound and outbound network traffic for abnormal activities. Upon
detecting violation, an Intrusion Detection will automate threat remediation by either kill the process,
quarantine file or delete the registry value.
- The IT Administrator will ensure signatures on Watchguard Firewall is updated automatically
on a weekly basis.

- The IT Administrator must check the audit logs for servers or firewall which are hosted on On-
premises Network and included it in ITS007 Monthly IT Report.
SOP CHAPTER8: Information Security Privacy

To manage systems and ensure security compliances are in place, the Company Network Services
will log, review, and utilize any information stored on, or passing through Company Network Services
to provide safeguard Information.
- The Watchguard Firewall will capture user activity such as URL, IP Address etc.
- The Company Network Services will collect the log to analyse or detect for abnormal incidents.
- No IT staff will keep any user password.
- No IT staff will ever disclose the privacy and security information to any other party.
- No user will not attempt to access any company information for which they do not have
authorization or explicit consent
SOP CHAPTER9: Network Access Security

The IT Department must ensure that user will not extend or re-transmit network services in any way.
This means users will not allow install router, switch, hub etc to Company’s Network without Head
of IT approval.
- The IT Department ensure that network segregation must be implemented on each floor of
Company such as VLAN using on Wired Network and Wireless Network.
- The IT Department ensure that Network Interface on each point must be secured.
SOP CHAPTER10: Network Configuration

The Network configuration will include the company network diagram, network configuration on
firewall, router, and switches of company.
The IT Department shall do the following process.
- Document the form ITS013 Form System Upgrade & Maintenance Log when any made changes
into Company Network.
- Update and review the “Network Documentation” file located in “IT Policies” folder once a
year.
- Always save the configuration when there are some changes into following location.
Equipments/Devices/IP Configuration Location

Firewall IT Shared\WG Config
Router IT Shared\Router Config
Switches IT Shared\Switch Config
IP IT Shared\docs\IP Renovation
SOP CHAPTER11: Passwords

The IT Department will ensure that password policy shall be complied with as follows for user login
Policy Settings

Maximum password age 90 days

Minimum password length 8 characters
Password must meet complexity requirements Yes
Password history 4 passwords remembered
Account Lockout threshold 5 attempts
- No IT staff will keep any user password.

- No IT staff will ever disclose the privacy and security information to any other party.
- No IT staff will circumvent password entry with auto login except for automated backup.
- IT Administrator will enforce the screen time lockout enabling on Group Policy.
- All IT Staff who are authorized to reset the user password after verifying with user will ensure
the option “Force user to change password” is selected.
SOP CHAPTER12: Physical Access

The Physical Access of Company Data Center facilities will be restricted only to following.
o All IT Staff in IT Department
o Managing Directors
- Any entry to the Data Center by anybody other than the above authorized persons must be
documented using the “ITS017 Form Visitor Log” giving the appropriate reason for the entry.
- IT Technical Support shall monitor the CCTV daily basis and document in ITS011 Form Review
Log Sheet in IT Filled Form\ITS011 Form Review Log Sheet\CCTV
The IT Manager shall be responsible to review the access records and “ITS017 Form Visitor Log
Sheet” quarterly and document “ITS011 Form Review Log Sheet”
SOP CHAPTER13: Mobile Computing Devices

For all mobile computing devices, whether owned by company or owned by staff, that have access to
the company systems and applications including cloud storage (OneDrive, Sharepoint, Exchange) used
by staff, the IT department shall ensure the following procedures
- Ensure that remote users must connect to Company Information resources through Protocols
approved by the ITS019 Standard Protocol for remote users.

- Ensure that mobile computing devices have proper locked screen by method “PIN”,
“Biometrics” or “Password”.
- Ensure user request mobile phone owned by Company through “ITS018 Form Mobile Phone
Requisition”
SOP CHAPTER14: Security Monitoring

The Security Monitoring will be done through the WatchGuard Firewall and Host Sensor application.
It will detect and analyze both inbound and outbound network traffic for abnormal activities. Upon
detecting violation, an Intrusion Detection will automate threat remediation by either kill the process,
quarantine file or delete the registry value.
- The IT Administrator will ensure signatures on Watchguard Firewall is updated automatically
on a weekly basis.
- The IT Administrator must check the audit logs for servers or firewall which are hosted on On-
premises Network and document it in ITS009 Form Report all Log Monthly.
- The IT Administrator will regularly check information from provider list2.
SOP CHAPTER15: Security Awareness Training

- The IT Department shall provide updated Security Awareness Training to all users at least once
a year.
- The IT Department provides and encourages Cyber Security E-Learning system to all users.
Hence, users able to re-run the class on demand.
- All IT Staff shall train and educate for Cyber Security regularly.
- The IT Department ensure new employee must be completed the Information Security
Awareness Training on joining date.
- IT Department will develop and maintain a communications process to be able to communicate
new computer security program information, information security bulletin and articles of
interest.
SOP CHAPTER16: Software Licenses

- The IT Department will provide the list of standard software as per “Software Standard” in IT
Polices folder.
- When user need specific software, which is not listed above, user shall document ITS005 Form
HW&SW Approval and get approval from Head of Department and send back to IT.
- IT Staff purchase the software (if cost involved), shall get approval from Head of IT Department
by email. IT Staff shall issue PO with cc to Head of IT Department every time. Document in
sheet “Additional Request” in Software Standard.
- IT Staff install the software as needed and keep update in Standard software.
SOP CHAPTER17: System Upgrades and Maintenance

- The IT Staff identify the issue if the problem needs to be changed on the Company Network
Server/Application.
- The IT Staff inform System/Application Owner if the issue can be resolved.

- The System/Application Owner would need to submit the form “ITS013 System Upgrade &
Maintenance Log” and put required information into form.
- The System/Application owner make the system/application as per required.
- The Head of Department must provide approval for changing related to department.
- The IT Staff inform user who raised the issue.
- The IT/user tests the functionality and sign into form “ITS013 System Upgrade & Maintenance
Log”
- IT keep records in file.
SOP CHAPTER18: Vendor Access

- When vendor access to Company Datacenter, IT Staff shall ensure that vendor need to document
in “ITS017 Form Visitor Log Sheet”
- When vendor need to access Company Server which contains information, IT Staff shall
document “ITS016 Form Vendor Access”.
- IT Staff ensure that all remote access connections will be cleared after vendor resolve the issue.
SOP CHAPTER19: ANTI-VIRUS POLICY

- The IT Administrator shall ensure that the Antivirus/Antimalware must install on the server and
Client.
- The IT Administrator shall ensure that Signature of Antivirus/Antimalware always update to
latest pattern.
- The IT Administrator shall ensure that Antivirus/Antimalware must periodically scanning entire
PC every Friday at noon.
SOP CHAPTER20: Digital Information Storage Policy

- The IT Department will set up OneDrive for each user.
- The IT Department will setup SharePoint for each user based on their responsibilities and job
duties.
- Each Department will use their own SharePoint sites to keep documents as follows.
Department SharePoint Sites

IT /sites/IS
Commercial /sites/commercial
ISM /sites/ismteam
Finance /sites/pslfinance
Legal /sites/legal

Accounts /sites/pslacc
HR HR OneDrive
Internal Audit /sites/PSLIA
Technical Management /sites/gcship
RMT /sites/rmtteam
Fleet Personnel /sites/fleet
Procurement /sites/gcship
Training /sites/psltraining
Projects /sites/gcship
SOP CHAPTER21: The Acceptable Use Of Company Equipment, Mobile Devices, Printers,
Copiers, Paper Documents And Bulletin Boards
The Acceptable Use Policy is available at https://preciousshipping.sharepoint.com/sites/pslintranet
SOP CHAPTER22: Cryptography

- The IT Administrator must use the protocol and algorithm to encrypt which is standard and
widely used.
- The IT Administrator shall use the Digital Certificate for web services facing public internet
which provide by Certification Authority.
- The IT Administrator shall ensure that user password stored in Active Directory unable to
retrieve in plain text.
SOP CHAPTER23: Privilege Accounts

- The IT Administrator shall rename or disable default privileged accounts if technical is feasible.
- The IT Administrator shall use individual accounts with unique credentials.
- Head of IT Department will do annual review of all privileged access and documented, if it is
required.
SOP CHAPTER24: Document Management

Documents are routinely published or generated by various departments to carry out the organization’s
business in an effective way. All such documents will be published following the guidelines in the
Document Management Policy of the company. These procedures apply to various documents as
follows
- Employment agreement
- Non-disclosure agreement
- Financial documents
- Legal documents
- Business plans
- Compliance and regulatory documents

- Fleet Memo
- Technical circulars
- Minutes of Meetings
- Contractor agreements
- Insurance documents
- Company policy documents
- ISM documents
- Etc.
 Preparation and Issue of a new document

Flow Charts for Document Control Procedure
Preparation and Issue of new quality management system documentation
Prepare
draft
document
Originator using
approved
No
template
Review Sign and

Process draft
Yes
date the
Approved?
Owner document review
No No
Review
Sign and
Management draft
Yes
Register Distribute
Forward document date the Approved Approved
Representative to MR and approval Document Document
(HOD) approve of new in archive
document
Senior
Management Approved
Yes
?**
Implement
User
** This step may be omitted for departmental documents not affecting entire organization

 Document Registration and Distribution
 Document Change Control

Document Control Change Request and Approval Flow Chart
Prepare Sign &
DCR and date,
provide Return to
Change details of originator
request proposed with details
changes of rejection
No
Sign &
Process Review Approved Yes date
DCR ? request
Owner as No
approved
Sign &
Review Date
Head of Forward Change
Yes
request
Department to HOD Request as
approved
Notify users
Quality Amended of
and Register availability
Systems Document
Identify
of updated
Users
Department in archive
document
on database
Implement
User

SOP CHAPTER25: Clear Desk Clear Screen

- The IT Administrator shall setup lock screen automatically in AD Group Policy.
2.2.1 Technical Reference Library

- The ITS000 Master Registry of Documents will keep the documents, forms and checklists
that our IT Staff will need for reference.
- The IS Sharepoint folders
2.2.2 COMPANY FORMS SOP
A copy of all standard forms and checklists to be used for complying with necessary
documentation of ISMS are found in ITS000 Master Registry of Documents
2.3 NON-CONFORMANCES AND CORRECTIVE ACTIONS
2.3.1 NON-CONFORMITIES
Non-conformity is an observed situation where objective evidence indicates the non-

fulfillment of a specified requirement of the Company’s Information Security Management
System.
2.3.1.1 Non-conformance’s / Loss Control
Information security is integral to Precious Shipping Public Company Limited’s operation.

We strive to assure integrity of all information we collect, produce, manage, disseminate
or store
through the systematic removal of unsafe practices and conditions. The company
subscribes to a philosophy of loss control, which emphasizes the value of avoiding losses
due to substandard acts or conditions, i.e., non-conformances.
Procedures have been established for controlling, reporting, recording and

investigation/analyses of non-conformance in order to take effective corrective action as
necessary. It is the responsibility of all employees to report non-conformance’s that they
find in or outside their work area, and (insofar as is possible) to eliminate the non-
conformance through planned corrective action.
The Head of IT Department shall be responsible for handling all non-conformance reports.
Depending on the severity, he will decide and communicate with the management to
resolve any non-conformance’s reported. In addition he shall carry out an investigation as
detailed in the Incident Handling Plan. In carrying out the investigation, the loss severity
potential and probability of recurrence of the accident/incident shall be clearly specified.
The report shall indicate an outline of the event, the probable cause and the immediate
corrective action that has been taken to rectify the non-conformance.
Major and Serious non-conformances are subject to full and formal management review,
complete investigation with implementing corrective action procedures, including
identification of root cause, analysis of costs and analysis of the safety aspects of the
incident.
Minor non-conformances are subject to simplified corrective action and root-cause

analysis: nevertheless, the security aspects must always be carefully evaluated, and action
taken as necessary.
In those cases where serious non-conformance results in a statutory requirement to report

an incident to a government or regulatory body, such notification shall be made using their
stipulated forms if required by the law1. The MD shall however be consulted prior making
such notification and the incident/accident to external parties.
2.3.1.2 Major Non-conformity
Major non-conformity" means an identifiable deviation that poses a serious threat to the
integrity of an information asset that requires immediate corrective action caused by the
lack of effective and systematic implementation of a requirement of this Code.
1
Appendix A
2.3.2 APPLICATIONS OF NON-CONFORMITY
Non -conformities shall apply to incidents such as:

a. Unauthorized configuration in Watchguard Firewall.
b. Unauthorized physical access into Datacenter room.
c. Resigned/Terminated employee still able to access the system without approval from
Executive Director.
d. File Server infected with Malware.
2.3.3 INVESTIGATION / ANALYSIS OF NC’S
Investigation and analysis of the root cause and corrective action plan to be implemented as
per guidelines given in the Incident Handling Plan booklet.
2.4 AUDITS
2.4.1 Internal Audit

Internal audits will be conducted by the Company appointed Auditors at least once every 12
months. Due dates are assumed from the date of last internal audit. In exceptional
circumstances, this interval may be exceeded by not more than three months.
Observations noted at the time of such audits are conditions which in the opinion of the
auditors, if left unattended may lead to Non-Conformances. They are to be dealt suitably
by the IT Senior Manager.
NCRs raised during such audits are reported by the auditors. the Managing Director of the
company. All documentation shall be separately maintained in the Internal Audit report
file. Unless otherwise mentioned the time period agreed for closing out Internal Audit
NCRs is 60 days.
2.4.2 External Audit
External assessments or audits are conducted by accredited external party. This is done initially
as a compliance audit for obtaining interim ISO 27001 certificate. Validity of the certificate is
3 years. An intermediate assessment is carried out by the external assessor at 0.5  years
before the expiry date of the certificate. Non - conformances raised by the assessor during
these audits shall be dealt with in a similar manner as other NCRs. The Head of IT shall
forward the corrective action plan (CAP) to the assessor within 4 weeks after receiving the
NCR. External assessors may verify the results by a follow up audit if necessary.
APPENDIX 1 : CYBERSECURITY LAWS
Primary regulations that apply to cybersecurity in Thailand include:
1. the Criminal Code;

2. the Computer Crime Act of 2017 (“CCA”);
3. the Cybersecurity Act of 2019 (“CSA”);
4. the Personal Data Protection Act (“PDPA”) of 2019;
5. the Financial Institutions Businesses Act of 2008 (“FIBA”);
6. the Telecommunications Business Act of 2001 (“TBA”);
7. the Copyright Act of 2022
APPENDIX 2 : CONTACT LIST

Government Agency
Name Website
Ministry of Digital Economy and Society https://mdes.go.th/
National Cyber Security Agency - NCSA https://www.ncsa.or.th/

CYBER CRIME INVESTIGATION https://www.ccib.go.th/

BUREAU
POLICE CYBER TASKFORCE http://opc.police.go.th/OPC_Police/hotline-1599-
police-cyber-taskforce/
National Statistical Office https://www.1212occ.com/home
Electronic Transactions Development Agency https://www.etda.or.th/th/
Marine Department https://md.go.th/
PDPC Thailand https://www.mdes.go.th/mission/82
https://www.facebook.com/pdpc.th
Special Interest Group

Watchguard https://www.watchguard.com/
Trend Micro Antivirus https://www.trendmicro.com/en_th/business.html
Microsoft https://www.microsoft.com
Oracle https://www.oracle.com
CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
CVE Details https://www.cvedetails.com/
Aruba https://www.arubanetworks.com/
Bleeping Computer https://www.bleepingcomputer.com/
Mitre Attack https://attack.mitre.org/
OSINT Framework https://osintframework.com/
Open Web Application Security Project https://owasp.org/
Test SSL https://www.ssllabs.com/ssltest/

Information Security Standard Operating Procedures

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Standard Operating Procedures

Uploaded by

Copyright:

Available Formats

INFORMATION SECURITY

This document is not to be reproduced in whole or in part without the prior

IS-SOP published June 2022 Internal Use Only

SECTION NO. SECTION TITLE

READER’S ACKNOWLEDGEMENT & AMENDMENT RECORD

POLICY STATEMENT FROM MANAGEMENT

SECTION 1 THE ORGANISATION

SECTION 2 INFORMATION SECURITY MANAGEMENT SYSTEM

IS-SOP published June 2022 Internal Use Only

Date Name Designation Signature

IS-SOP published June 2022 Internal Use Only

Date Name Designation Signature

IS-SOP published June 2022 Internal Use Only