Information Security Policy

Our Security Commitment

ServerToday employs a defense-in-depth security strategy that protects information assets through multiple layers of security controls. Our approach encompasses physical, technical, and administrative safeguards designed to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Security Principles

• Confidentiality: Ensuring information is accessible only to authorized individuals
• Integrity: Maintaining accuracy and completeness of data
• Availability: Ensuring authorized users have reliable access to information
• Accountability: Tracking and monitoring all security-relevant activities

Information Security Management System (ISMS)

Our ISMS is based on ISO/IEC 27001:2022 standards and provides the framework for managing information security risks systematically. The ISMS includes documented policies, procedures, and controls that are regularly reviewed and updated.

Roles and Responsibilities

• Chief Information Security Officer (CISO)

  Oversees all information security activities and reports directly to executive management

• Security Operations Team

  Monitors, detects, and responds to security incidents 24/7

• Data Protection Officer (DPO)

  Ensures compliance with privacy regulations and manages data protection activities

• All Employees

  Required to follow security policies and report security concerns immediately

Security Training & Awareness

All employees receive mandatory security awareness training upon hiring and annually thereafter. Training covers topics including password security, phishing awareness, social engineering, data handling, and incident reporting.

Authentication & Authorization

• Multi-Factor Authentication (MFA): Required for all administrative and remote access
• Role-Based Access Control (RBAC): Access granted based on job responsibilities and least privilege principle
• Strong Password Policy: Minimum 12 characters with complexity requirements
• Regular Access Reviews: Quarterly reviews of user access rights and permissions

Privileged Account Management

Privileged accounts with elevated system access are strictly controlled, monitored, and audited. All privileged access sessions are logged and reviewed regularly. Privileged credentials are stored in secure vaults with automated rotation.

Encryption Standards

• Data at Rest: AES-256 encryption for all stored data
• Data in Transit: TLS 1.3 encryption for all network communications
• Email Encryption: S/MIME and PGP support for sensitive communications
• Backup Encryption: All backups are encrypted before storage

Data Classification

Data Retention & Disposal

Data is retained according to legal requirements and business needs. When data reaches end-of-life, it is securely destroyed using industry-standard methods including secure erasure for digital media and physical destruction for hardware.

Network Architecture

• Network Segmentation: Isolated zones for production, development, and management
• Firewalls: Next-generation firewalls with intrusion prevention systems (IPS)
• DDoS Protection: Advanced DDoS mitigation for all internet-facing services
• VPN Access: Secure VPN required for all remote access

Security Monitoring

Our Security Operations Center (SOC) provides 24/7/365 monitoring of all systems and networks. We employ Security Information and Event Management (SIEM) systems to detect and respond to security threats in real-time.

Vulnerability Management

Regular vulnerability assessments and penetration testing are conducted by internal teams and third-party security firms. Critical vulnerabilities are patched within 24 hours, high-severity within 7 days, and medium-severity within 30 days.

Incident Response Process

Our incident response team follows a structured process aligned with ISO/IEC 27035 standards:

1. Detection: Automated monitoring and user reporting
2. Analysis: Assess severity and impact
3. Containment: Isolate affected systems
4. Eradication: Remove threat and vulnerabilities
5. Recovery: Restore normal operations
6. Post-Incident: Document lessons learned and improve controls

Reporting Security Incidents

Business Continuity & Disaster Recovery

We maintain comprehensive business continuity and disaster recovery plans that are tested annually. Our infrastructure is designed with redundancy to ensure service availability even during adverse events.

• RPO (Recovery Point Objective): Less than 1 hour for critical systems
• RTO (Recovery Time Objective): Less than 4 hours for critical systems
• Backup Schedule: Daily incremental, weekly full backups with off-site storage

Regulatory Compliance

ServerToday complies with applicable laws and regulations including:

• Thailand's Personal Data Protection Act (PDPA) B.E. 2562 (2019)
• European Union's General Data Protection Regulation (GDPR)
• ISO/IEC 27001:2022 - Information Security Management
• ISO/IEC 27701:2019 - Privacy Information Management

Regular Audits & Assessments

• Annual ISO Audits: External audits by accredited certification bodies
• Quarterly Internal Audits: Regular reviews of security controls and procedures
• Penetration Testing: Annual third-party security assessments
• Vulnerability Scans: Weekly automated security scans

Third-Party Security

All third-party vendors and partners are required to meet our security standards. We conduct security assessments before onboarding and regular reviews throughout the relationship. Vendors handling sensitive data must provide evidence of appropriate security controls.