In accordance with the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., the head of Meta-Space Headquarters with 25 years of experience in IT was appointed as the Chief Information Security Officer (CISO) and was entrusted with tasks related to information protection. We are strengthening the companywide information security system through operation of the Information Protection Committee, the highest decision-making body dedicated to establishment of information protection policies and control procedures and operations, and the Information Protection Working-Level Council entrusted with information protection practices.

Information protection regulations and guidelines have been established and revised in 2022 to systematize information protection. Revisions have been made on requirements on operation management of working-level consultative body managing the Information Security Management System (ISMS* ). In addition, cloud management guidelines were enacted according to the companywide conversion to cloud operating environment. Information protection policy has been posted on the groupware company regulation bulletin board for all members to recognize and an annual consent form on personal information processing is signed by members for personnel and company-related tasks to ensure personal information security, establishing and operating a comprehensive information protection system to ensure both technical security and personal information security.

* ISMS(Personal Information & Information Security Management System): A system in which the Korea Internet & Security Agency or a certification body certifies that a series of measures and activities for information protection and personal information protection meet the certification criteria

In 2022, current status analysis and risk assessment of the company-wide security system were carried out, and action plans were established for each sector. Based on the vulnerabilities identified through the risk analysis, we completed a risk assessment of the handling of personal information. Based on the evaluation results, action plans were established for each response period, such as immediate, short-term, mid-term, and long-term.

Information is checked on a daily basis, and vulnerabilities and infringement incidents are notified in case of occurrence in order to prevent accidents related to information protection by strengthening employees’ security awareness. We are building a culture of information protection by distributing quarterly daily security and information protection practices and sharing the results of everyday security inspections on the company’s work environment with members. In addition, we are promptly notifying employees in case of spam e-mails or office related vulnerabilities, enabling them to understand the situations and take corrective action, strengthening the level of employee security.

As part of our efforts to prevent security accidents and strengthen information protection, we conduct security accident prevention training such as spam mail simulation training and mock hacking training. Spam mail mock training is conducted for all employees to prevent accidents such as leakage of company data or business interruption due to ransomware, and to also enhance employee security awareness. Furthermore, mock hacking was conducted for company-wide systems, applications, and business-related IT infrastructure used by members. As a result of the mock hacking training in 2022, performance was enhanced compared to the previous year, and action plans were prepared based on training results, taking measures for relevant items.

We provide information security training to all our employees each year to improve their information security awareness and capabilities. In 2022, online information protection training was provided to all members, with a total of 228 training hours. Furthermore, all of our employees have signed the information security pledge to recognize the importance of information security and to internalize their sense of responsibility.

We strictly comply with relevant laws and regulations by establishing a 〈Personal Information Handling Policy〉, disclosing them on our website for all stakeholders to review. We are also striving to improve customer information protection awareness by conducting compulsory personal information training in order to protect personal information and prevent information leakage accidents. Furthermore, the SK Group conducts regular system inspections based on the security guidelines to take measures against discovered vulnerabilities and invest in personal information masking and encryption to prevent leakage of personal information. Also, we have purchased personal information protection liability insurance in preparation for leakage of customer information in Episode rental housing business.