SK D&D established the goal of ‘Establishing Data Governance to Establish IT Infrastructure Solution to Leap forward as a Leader in the Platform Business,’ promoting various information protection activities to realize the goal. In 2022, information protection regulations and guidelines were enacted and revised to systematize information protection, conducting status quo analysis and risk assessment for the company-wide security system as well. Management according to personal information processing policy, information protection regulations and related guidelines is carried out in order to protect customer information and corporate information assets, with all members making efforts to comply with company regulations for information protection.
Information Protection Promotion System
Organization Dedicated to Information Protection
In accordance with the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., the head of Meta-Space Headquarters with 25 years of experience in IT was appointed as the Chief Information Security Officer (CISO) and was entrusted with tasks related to information protection. We are strengthening the companywide information security system through operation of the Information Protection Committee, the highest decision-making body dedicated to establishment of information protection policies and control procedures and operations, and the Information Protection Working-Level Council entrusted with information protection practices.
Information Protection Policy
Information Protection Organization
Establishment of Information Protection System
Information protection regulations and guidelines have been established and revised in 2022 to systematize information protection. Revisions have been made on requirements on operation management of working-level consultative body managing the Information Security Management System (ISMS* ). In addition, cloud management guidelines were enacted according to the companywide conversion to cloud operating environment. Information protection policy has been posted on the groupware company regulation bulletin board for all members to recognize and an annual consent form on personal information processing is signed by members for personnel and company-related tasks to ensure personal information security, establishing and operating a comprehensive information protection system to ensure both technical security and personal information security.
Expenditures for Personal Information Protection
|Expenditures in information technology||KRW million||6,620||13,120|
|Expenditures in information protection||KRW million||655||1,101|
|Proportion of expenditures in information protection||%||9.9%||8.4%|
Information Protection Risk Analysis and Evaluation
In 2022, current status analysis and risk assessment of the company-wide security system were carried out, and action plans were established for each sector. Based on the vulnerabilities identified through the risk analysis, we completed a risk assessment of the handling of personal information. Based on the evaluation results, action plans were established for each response period, such as immediate, short-term, mid-term, and long-term.
Information Protection Inspections and Action Plans
|Category||Inspection items||Action plans|
|ISMS||80||Immediate (3) Short-term (34) Mid-term (28) Long-term (4)|
|Personal Information||22||Short-term (7) Mid-term (5) Long-term (3)|
|Mock Hacking||44||Immediate(46) Short-term (2)|
|IT Infrastructure||332||Short-term (130) Mid-term (1695)|
|Total||478||Immediate(49) Short-term (173) Mid-term (1728) Long-term (7)|
Risk Analysis Process
Security Incident Prevention and Response
Spreading the Culture of Information Protection
Information is checked on a daily basis, and vulnerabilities and infringement incidents are notified in case of occurrence in order to prevent accidents related to information protection by strengthening employees’ security awareness. We are building a culture of information protection by distributing quarterly daily security and information protection practices and sharing the results of everyday security inspections on the company’s work environment with members. In addition, we are promptly notifying employees in case of spam e-mails or office related vulnerabilities, enabling them to understand the situations and take corrective action, strengthening the level of employee security.
10 Rules for Information Protection
As part of our efforts to prevent security accidents and strengthen information protection, we conduct security accident prevention training such as spam mail simulation training and mock hacking training. Spam mail mock training is conducted for all employees to prevent accidents such as leakage of company data or business interruption due to ransomware, and to also enhance employee security awareness. Furthermore, mock hacking was conducted for company-wide systems, applications, and business-related IT infrastructure used by members. As a result of the mock hacking training in 2022, performance was enhanced compared to the previous year, and action plans were prepared based on training results, taking measures for relevant items.
Information Protection Training
We provide information security training to all our employees each year to improve their information security awareness and capabilities. In 2022, online information protection training was provided to all members, with a total of 228 training hours. Furthermore, all of our employees have signed the information security pledge to recognize the importance of information security and to internalize their sense of responsibility.
Personal Information Protection
We strictly comply with relevant laws and regulations by establishing a 〈Personal Information Handling Policy〉, disclosing them on our website for all stakeholders to review. We are also striving to improve customer information protection awareness by conducting compulsory personal information training in order to protect personal information and prevent information leakage accidents. Furthermore, the SK Group conducts regular system inspections based on the security guidelines to take measures against discovered vulnerabilities and invest in personal information masking and encryption to prevent leakage of personal information. Also, we have purchased personal information protection liability insurance in preparation for leakage of customer information in Episode rental housing business.
Personal Information Protection Performance
|No. of complaints filed regarding breaches of customer privacy and loss of customer data||No. of cases||-||-||-|
|No. of proven customer data breaches, theft, or loss||No. of cases||-||-||-|
- * No complaints received to personal information protection, leakage, theft, or loss