The Guidelines for the Provision of Information Technology Systems (แนวปฏิบัติในการจัดให้มีระบบเทคโนโลยีสา รสนเทศ นป. 6/2567) issued by the Securities and Exchange Commission of Thailand (SEC) are designed to ensure that financial institutions, securities companies, and other regulated entities maintain secure, reliable, and efficient IT systems. The guidelines are part of Thailand’s broader regulatory framework aimed at strengthening cybersecurity, data protection, and operational resilience in the capital markets.
What are the Guidelines for the Provision of IT Systems by SEC of Thailand?
- The Securities and Exchange Commission of Thailand (SEC) oversees securities and capital market operations, including IT governance for financial service providers.
- These guidelines align with Thailand’s Cybersecurity Act B.E. 2562 (2019) and Personal Data Protection Act (PDPA).
- To mitigate risks related to IT system failures, cyber threats, and data breaches.
- To ensure confidentiality, integrity, and availability (CIA triad) of financial data.
- To promote business continuity and disaster recovery preparedness.
- Applies to securities firms, asset managers, crowdfunding platforms, and other SEC-regulated entities.
- Covers IT infrastructure, software, networks, cloud services, and third-party outsourcing.
Compliance Brief
Ensuring Compliance with Guidelines for the Provision of IT Systems by SEC
Explore solutions for the Information Technology Risk Management Guidelines compliance in the financial sector, covering information technology security and more.
How Thales Helps with the IT Risk Management Guidelines by the Bank of Thailand (BOT)
Thales’ Cybersecurity Solutions help financial institutions address 6 requirements in Chapter 2 – Information Technology Security by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the BOT – IT Risk Management Guidelines
How Thales helps:
- Manage system and data access rights (access control) by supporting role-based authorization (RBAC) and conditional authorization (ABAC).
- Offer Delegated User Management to grant or revoke rights quickly with audit trail.
- Manage user authentication process by supporting multi-factor authentication (MFA).
- Provide single sign-on (SSO) and display as a login activity report to comply with security requirements.
- Control and manage privileged user accounts by supporting the enforcement of multi-factor authentication (MFA) for accessing critical systems.
- Design authorization and approval procedures (User Journey Orchestration) for privileged user accounts and store and display as a privileged user activity report for detailed auditing.
- Manage and control external access (third-party access management) by supporting authentication via social media or original organization accounts (BYOI).
- Assess risks before logging in and check access risks in real time (Risk-Based Authentication), including displaying as a third-party access audit report to enable continuous monitoring, auditing, and supervision.
Solutions:
Identity & Access Management
BYOI & Social Login Identity Verification
How Thales helps:
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
- Discover and classify potential risk for all public, private and shadow APIs.
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Provide uptime with fast, effective DDoS mitigation and a 3-second SLA for Layers 3 & 4 attacks.
- Protect against business logic attacks and many more of the OWASP API Top Ten threats.
- Provide continuous protection of all APIs using deep discovery and classification to detect all public, private and shadow APIs.
- Identify the current state of compliance and document gaps.
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized and to prevent exposure of real data applications and personnel.
- Protect the root-of-trust of a cryptographic system within FIPS140-3 Level 3 - a highly secure environment.
- Protect data in motion with high-speed encryption.
How Thales helps:
- Manage system and data access rights (access control) by supporting role-based access control (Role-Based Access Control: RBAC) and conditional access control (Attribute-Based Access Control: ABAC).
- Offer decentralized user rights (Delegated User Management) by quickly granting or revoking rights and produce audit log for access change.
- Provide user authentication processes by supporting multi-factor authentication, risk assessment before logging in (Risk-Based Authentication) and single sign-on (Single Sign-On: SSO) with audit trail report of login activity reports.
- Control and manage privileged user accounts with multi-factor authentication, accessing critical systems.
- Design authorization and approval processes (User Journey Orchestration) for privileged user accounts with detailed auditing report.
- Store and audit IT access logs, stream logs to external SIEM systems for correlation, risk analysis and retrospective auditing as required.
- Use MFA-equivalent authentication processes, such as device binding or biometric authentication.
- Perform risk assessment before approving exceptions, and store evidence of exceptions in the form of exception approval reports to comply with policies.
Solutions:
Identity & Access Management
How Thales helps:
- Protect cryptographic keys in FIPS-validated and tamper-evident hardware.
- Encrypt keys with a one-time-use AES 256 key and sent over a mutually authenticated TLS connection.
- Adopt transparent and continuous encryption that protects against unauthorized access by users and processes in physical, virtual, and cloud environments.
- Employ strong and standard-based encryption protocols, such as the Advanced Encryption Standard (AES) for data encryption and elliptic curve cryptography (ECC) for key exchange.
How Thales helps:
- Support cryptography algorithms such as Advanced Encryption Standard (AES) 256bits, RSA 3072 bits and designed for a post-quantum upgrade to maintain crypto-agility.
- Manage encryption keys, provide granular access control and configure security policies.
- Centralize key lifecycle management including generation, rotation, destruction, import and export.
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
- Protect cryptographic keys in a FIPS 140-3 Level 3 environment.
- Easily backup and duplicate sensitive cryptographic key securely to the FIPS 140-3 Level3 certified backup HSM.
- Manage and protect all secrets and sensitive credentials.
How Thales helps:
- Enforce separation of duty between your data and external party as well as your cloud service provider (CSP) by securely storing encryption keys outside of the corresponding cloud.
- Automate key lifecycle management across clouds and hybrid environments with processes and tools.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard ICT network performance and integrity from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
How Thales helps:
- Control and manage access to IT systems from external networks (teleworking) by supporting Multi-Factor Authentication (MFA) and Risk-Based Authentication.
- Set policies for administrators to approve connections from external networks and display results as remote access activity reports.
- Manage access policies for mobile devices, such as checking security patch installations and device settings, and enforcing antivirus and malware policies.
- Check devices before granting access to IT systems in cases where employees are allowed to use BYOD, such as preventing connections from rooted or jailbroken devices and forcing the installation of updated anti-malware to prevent threats from personal devices
Solutions:
Identity & Access Management
How Thales helps:
- Record audit logs usage data and send usage data to SIEM system.
How Thales helps:
- Manage authentication and access control by supporting Multi-Factor Authentication and Single Sign-On (SSO) and displaying access log reports.
- Record access to the database system and detect login attempts on the database system.
- Manage authentication and access control by supporting Multi-Factor Authentication and storing access logs with report display.
- Capture changes to the database structure (database schema log) and to data in important tables, which can be displayed as an access log table and as a report.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems
- Provide control and audit access to electronic communication channels by supporting access rights management (Externalized Authorization) and audit trail reports.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Offer control and audit access to personal data (Personal Data Access Control) by supporting the setting of contextualized access policies (Adaptive Access Control) to suit the user's risk level.
- Deploy Multi-Factor Authentication (MFA) for users accessing sensitive personal data or from new devices/locations.
- Set prevention policies (Access Policies) for accessing sensitive data outside of business hours or from untrusted networks.
- Detect and alert administrators if abnormal access attempts are found, and administrators can respond quickly.
- Support the creation of audit trail reports of all accesses for auditing and investigation in the event of any incidents.
How Thales helps:
- Set access rights to the system log only for those who are authorized by roles and organization policies (Role-Based Access Control).
- Control log access assignments in detail for auditing.
- Enforce Multi-Factor Authentication (MFA) for administrators who need to access logs to increase security.
- Offer strict audit log access rights using Adaptive Access Control to prevent unauthorized access and create Audit Trail records for retrospective auditing.
Solutions:
Identity & Access Management
How Thales helps:
- Detect system threats with Web Application Firewall, API Security and Database Security and stream logs to SIEM system.
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Apply contextual security measures based on risk scoring.
Solutions:
Application Security
How Thales helps:
- Alert or block database attacks and abnormal access requests in real time.
- Monitor file activity over time to set up alerts on activity that can put financial institutions at risk.
- Continuously monitor processes for abnormal I/O activity and alerts or blocks malicious activity.
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
How Thales helps:
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
How Thales helps:
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
How Thales helps:
- Reduce third party risk by maintaining on-premises control over encryption keys protecting data hosted by in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.