Move to menuMove to category menuMove to main contents

Information Protection

SK D&D established the goal of ‘Establishing Data Governance to Establish IT Infrastructure Solution to Leap forward as a Leader in the Platform Business,’ promoting various information protection activities to realize the goal. In 2022, information protection regulations and guidelines were enacted and revised to systematize information protection, conducting status quo analysis and risk assessment for the company-wide security system as well. Management according to personal information processing policy, information protection regulations and related guidelines is carried out in order to protect customer information and corporate information assets, with all members making efforts to comply with company regulations for information protection.

Information Protection Promotion System

Organization Dedicated to Information Protection

In accordance with the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., the head of Meta-Space Headquarters with 25 years of experience in IT was appointed as the Chief Information Security Officer (CISO) and was entrusted with tasks related to information protection. We are strengthening the companywide information security system through operation of the Information Protection Committee, the highest decision-making body dedicated to establishment of information protection policies and control procedures and operations, and the Information Protection Working-Level Council entrusted with information protection practices.

Information Protection Policy

Information Protection Organization

Establishment of Information Protection System

Information protection regulations and guidelines have been established and revised in 2022 to systematize information protection. Revisions have been made on requirements on operation management of working-level consultative body managing the Information Security Management System (ISMS* ). In addition, cloud management guidelines were enacted according to the companywide conversion to cloud operating environment. Information protection policy has been posted on the groupware company regulation bulletin board for all members to recognize and an annual consent form on personal information processing is signed by members for personnel and company-related tasks to ensure personal information security, establishing and operating a comprehensive information protection system to ensure both technical security and personal information security.

* ISMS(Personal Information & Information Security Management System): A system in which the Korea Internet & Security Agency or a certification body certifies that a series of measures and activities for information protection and personal information protection meet the certification criteria

Expenditures for Personal Information Protection

Expenditures for Personal Information ProtectionThe amount of investment in information security in 2021 and 2022 is classified into the information technology sector and the information security sector and presented in units of million won, and the information security investment amount ratio is presented, which is the amount of investment in the information security sector divided by the amount of investment in the information technology sector.
Expenditures in information technologyKRW million6,62013,120
Expenditures in information protectionKRW million6551,101
Proportion of expenditures in information protection%9.9%8.4%

Information Protection Risk Analysis and Evaluation

In 2022, current status analysis and risk assessment of the company-wide security system were carried out, and action plans were established for each sector. Based on the vulnerabilities identified through the risk analysis, we completed a risk assessment of the handling of personal information. Based on the evaluation results, action plans were established for each response period, such as immediate, short-term, mid-term, and long-term.

Information Protection Inspections and Action Plans

Information Protection Inspections and Action PlansInformation security checklists and action plans are divided into ISMS, personal information, penetration testing, and IT infrastructure, and action plans are further divided into immediate, short-term, medium-term, and long-term.
CategoryInspection itemsAction plans
ISMS80Immediate (3) Short-term (34) Mid-term (28) Long-term (4)
Personal Information22Short-term (7) Mid-term (5) Long-term (3)
Mock Hacking44Immediate(46) Short-term (2)
IT Infrastructure332Short-term (130) Mid-term (1695)
Total478Immediate(49) Short-term (173) Mid-term (1728) Long-term (7)

Risk Analysis Process

Security Incident Prevention and Response

Spreading the Culture of Information Protection

Information is checked on a daily basis, and vulnerabilities and infringement incidents are notified in case of occurrence in order to prevent accidents related to information protection by strengthening employees’ security awareness. We are building a culture of information protection by distributing quarterly daily security and information protection practices and sharing the results of everyday security inspections on the company’s work environment with members. In addition, we are promptly notifying employees in case of spam e-mails or office related vulnerabilities, enabling them to understand the situations and take corrective action, strengthening the level of employee security.

10 Rules for Information Protection

Mock Training

As part of our efforts to prevent security accidents and strengthen information protection, we conduct security accident prevention training such as spam mail simulation training and mock hacking training. Spam mail mock training is conducted for all employees to prevent accidents such as leakage of company data or business interruption due to ransomware, and to also enhance employee security awareness. Furthermore, mock hacking was conducted for company-wide systems, applications, and business-related IT infrastructure used by members. As a result of the mock hacking training in 2022, performance was enhanced compared to the previous year, and action plans were prepared based on training results, taking measures for relevant items.

Information Protection Training

We provide information security training to all our employees each year to improve their information security awareness and capabilities. In 2022, online information protection training was provided to all members, with a total of 228 training hours. Furthermore, all of our employees have signed the information security pledge to recognize the importance of information security and to internalize their sense of responsibility.

Personal Information Protection

We strictly comply with relevant laws and regulations by establishing a 〈Personal Information Handling Policy〉, disclosing them on our website for all stakeholders to review. We are also striving to improve customer information protection awareness by conducting compulsory personal information training in order to protect personal information and prevent information leakage accidents. Furthermore, the SK Group conducts regular system inspections based on the security guidelines to take measures against discovered vulnerabilities and invest in personal information masking and encryption to prevent leakage of personal information. Also, we have purchased personal information protection liability insurance in preparation for leakage of customer information in Episode rental housing business.

Personal Information Protection Performance

Personal Information Protection PerformanceFrom 2020 to 2022, the number of complaints filed related to customer privacy violations and loss of customer data is divided into the number of verified customer data leaks, thefts, and losses. From 2020 to 2022, there were no complaints, leakage, theft or loss of personal information.
No. of complaints filed regarding breaches of customer privacy and loss of customer dataNo. of cases---
No. of proven customer data breaches, theft, or lossNo. of cases---
  • * No complaints received to personal information protection, leakage, theft, or loss