On May 1, 2024, Thailand’s National Cyber Security Committee (NCSC) published the draft NCSC Notification Re: Cloud Cybersecurity Standards for a public hearing period, which was open until May 14, 2024. These standards have been drafted to drive the country’s cloud-first policy with the aim of minimizing risks from cyber threats to cloud services utilized by government agencies, supervising or regulating organizations, and critical information infrastructure (CII) organizations.
The key points of the draft Cloud Cybersecurity Standards are below.
Scope
- The standards apply to government agencies, supervising or regulating organizations, and CII organizations under the Cybersecurity Act B.E. 2562 (2019), as well as cloud service providers (defined below).
- The standards prescribe cloud system cybersecurity measures for cloud service customers (defined below) and providers only to the extent that the service is provided to the in-scope organizations outlined above.
Definitions
- Cloud service customers (CSCs): In-scope organizations that have a formal contractual agreement to use cloud services provided by a cloud service provider.
- Cloud service providers (CSPs): Persons who enable cloud services to be used by a cloud service customer, responsible for maintaining infrastructure, platforms, and software that enable provision of the cloud services and for managing these resources to ensure their accessibility, security, and scalability for their cloud service customers.
Application
- In-scope organizations that will use or have been using cloud services must comply with the Cloud Cybersecurity Standards by taking into account their data or technology information systems’ level of impact, as specified in the previously issued Notification of the NCSC Re: Standards for Defining the Security Category for Data and Information Systems B.E. 2566 (2023).
- The impact level related to personal data is to be rated as being at least at the medium level, and the minimum standards for that level specified in the draft Cloud Cybersecurity Standards must be adopted.
- In-scope organizations must report their implementation of the Cloud Cybersecurity Standards to the National Cyber Security Agency (NCSA) within 30 days of completing the implementation.
- The draft Cloud Cybersecurity Standards will come into force one year from their publication in the Government Gazette.
Structure
The requirements in the Cloud Cybersecurity Standards are divided into two areas, (1) cloud security governance and (2) cloud infrastructure and operations:
Requirement Area 1: Cloud Security Governance
- Information security policies
- Organization of information security
- External supplier relationships
- Compliance
Requirement Area 2: Cloud Infrastructure Security and Operations
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operational security
- Communication security
- System acquisition, development, and maintenance
- External supplier relationships
- Information security incident management
Impact Levels and Requirements
The stipulations of the Cloud Cybersecurity Standards vary depending on the data or information systems’ level of impact. The requirements for each level are summarized in the table below.
For more information on the draft Cloud Cybersecurity Standards, or on any aspect of cybersecurity and cloud-related laws in Thailand, please contact Athistha (Nop) Chitranukroh at nop.c@tilleke.com and Thammapas Chanpanich at thammapas.c@tilleke.com.