ThaiCERT Roles & Authority
Roles and Authority of ThaiCERT
The core responsibilities of the National Computer Security Coordination Center cover proactive measures, reactive incident response, and quality management for national cybersecurity operations.
Operating Model
ThaiCERT’s Mission Structure
ThaiCERT’s roles and authority are organized into three core areas to support prevention, monitoring, response, and continuous improvement of national cybersecurity operations.
Proactive measures to prevent and monitor risks of cyber threats
Prevent and monitor cyber threat risks before incidents occur.
Reactive measures when cyber threats occur
Receive reports, coordinate, respond, contain incidents, and monitor results when cyber threats occur.
Quality management measures for cybersecurity
Enhance readiness, processes, tools, and service quality in cybersecurity operations.
Detailed Authority
Detailed Roles and Authority
01 Proactive Defense Proactive measures to prevent and monitor risks of cyber threats Prevent and monitor cyber threat risks before incidents occur.
Proactive measures to prevent and monitor risks of cyber threats shall be carried out in accordance with the following criteria:
Work with or support the operations of supervised organizations in monitoring, tracking, and preparing to respond upon receiving cyber threat alerts.
Serve as a national information network hub and promote cooperation in cybersecurity. ThaiCERT may coordinate or cooperate with domestic and international networks or partners to receive, forward, or exchange information related to cyber threats and prepare for response upon receiving cyber threat alerts.
Prepare statistical information on cyber threat response and handling, as well as important advisory information and other related information for public dissemination.
Analyze and verify cyber threat intelligence that may arise, take action to prevent potential issues, and disseminate necessary information so that supervised organizations can implement preventive measures or manage possible cyber threat situations, such as providing guidance on intrusion detection and data analysis.
Issue cyber threat alerts or warnings about vulnerabilities that may be exploited as channels for cyber threats, so that supervised organizations can protect critical information infrastructure or other important systems in a timely manner.
Monitor technological developments to prepare recommendations on cyber threat prevention or baseline practices for prevention or preparedness upon receiving cyber threat alerts.
Upon request from supervised organizations, or upon coordination in cases where a cyber threat is expected to occur against such organizations, the National Computer Security Coordination Center may consider taking the following actions:
Collect, monitor, analyze, and process information for proactive research on patterns of cyber threat occurrence in order to assess impacts and trends of various forms of cyber threats.
Provide assistance, advice, and support in implementing preventive measures in accordance with best practices to prepare for response upon receiving cyber threat alerts.
Assess risks and vulnerabilities that may be exploited to cause cyber threats, leading to vulnerability management, preventive measures, or other actions for cybersecurity.
Detect events that may lead to intrusion, analyze indicators, or carry out other related actions to inspect programs or identify malicious code that may pose a risk to critical information infrastructure or other important systems.
For the purpose of coordination and cyber threat alerting, the National Computer Security Coordination Center shall arrange for the registration of information and the preparation of a point of contact directory for supervised organizations, to serve as the main communication channel between the National Computer Security Coordination Center and such organizations.
02 Incident Response Reactive measures when cyber threats occur Receive reports, coordinate, respond, contain incidents, and monitor results when cyber threats occur.
Reactive measures when cyber threats occur shall be carried out in accordance with the following criteria:
Serve as a central point for receiving and reporting cyber threat incidents occurring both domestically and internationally, and coordinate with supervised organizations to respond to and handle cyber threats appropriately and promptly. ThaiCERT shall also provide necessary information support to such organizations for resolving cyber threat incidents through electronic reporting channels specifically designated by the National Computer Security Coordination Center, or through any other channels determined by the Center.
Consider the appropriateness of determining the level of cyber threat reported by supervised organizations. ThaiCERT may consider the urgency as reported or redefine the urgency based on the nature or impact of the cyber threat, and provide recommendations for appropriate response and remediation plans to limit the scope of damage.
Monitor cyber threat response and handling, the impacts related to cyber threats, and the results of response and handling when cyber threats occur.
Upon request from supervised organizations, or upon coordination in cases where a cyber threat is expected to occur against such organizations, the National Computer Security Coordination Center may consider taking the following actions:
Provide assistance, advice, and support in responding to and handling cyber threats, such as helping analyze the root cause of the threat, the attacker profile, incident containment methods, countermeasures against intruders, and vulnerability remediation. This may be carried out on-site where the incident occurred or through electronic communication methods from the operational site of the National Computer Security Coordination Center.
Provide assistance, advice, and support in recovery so that missions or services can resume after the cyber threat incident has been contained.
Provide assistance, advice, and support in digital forensics, examination of digital evidence, correlation of cyber threat information from various sources, as well as investigation or inquiry into offenses related to cyber threat activities.
Prepare reports on cyber threat response outcomes, including cases known from reports by relevant parties and cases where cyber threat incidents are observed, for submission to the National Cyber Security Agency.
For the purpose of responding to cyber threat incidents, the National Computer Security Coordination Center may collect information on cyberattacks that have occurred, for use in studying, analyzing, and processing cyber threat information, leading to proactive measures to prevent and monitor risks of future cyber threats.
03 Quality Management Quality management measures for cybersecurity Enhance readiness, processes, tools, and service quality in cybersecurity operations.
Quality management measures for cybersecurity shall be carried out in accordance with the following criteria:
Promote and support the development of awareness of cyber threats, leading to the implementation of measures for prevention and cybersecurity.
Enhance the knowledge and capabilities of supervised organizations to prepare them for cybersecurity operations and to improve the protection of critical information infrastructure and other important systems.
Upon request from supervised organizations, the National Computer Security Coordination Center may consider taking the following actions:
Provide assistance, advice, and support in assessing the risk of cyber threats by using lessons learned from proactive measures to prevent and monitor cyber threat risks and reactive measures when cyber threats occur, in order to help such organizations plan responses when facing cyber threat incidents.
Provide assistance, advice, and support in preparing business continuity plans to respond to cyber threat incidents, critical information infrastructure protection plans, and disaster recovery plans after cyber threats occur.
To ensure that quality management for cybersecurity is carried out efficiently and effectively, the National Computer Security Coordination Center shall undertake the following actions:
Identify indicators and monitor performance to assess the quality of operations, such as response time to requests, time used for operations in various situations, and the number of reports or manuals related to the mission.
Define policy and operational implementation approaches in phases, potentially using the Capability Maturity Model, or “CMM”, as a tool for determination.
Establish a service management quality system to monitor performance and continuously improve operations so that they meet established performance targets.
Define processes, procedures, and necessary tools to support services provided to supervised organizations, such as a threat recording and tracking system, ticketing system, and workflow management system.
Carry out activities with government agencies, private organizations, entities, or domestic and international organizations that are beneficial to quality management for cybersecurity and cyber threat response, as additionally assigned by the National Cyber Security Agency.
For the purpose of monitoring risks of cyber threats, tracking, analyzing, and processing cyber threat information, and issuing cyber threat alerts, the National Computer Security Coordination Center shall provide assistance, support, or work jointly with competent officials, or support the operations of the National Cyber Security Agency in activities related to cybersecurity and cyber threat response, or perform any other additional duties as prescribed by the Committee.
ThaiCERT Updates
Follow Cyber Threat News and Advisories
Access news, guidance, and advisories from ThaiCERT to strengthen preparedness for preventing and responding to cyber threats.