Move to menuMove to category menuMove to main contents
Governance

Information Security

Information Protection Framework

Information Protection Policy

SK D&D is establishing data governance with the goal of building the IT infrastructure solutions to leap forward as a leading player in the platform business. To this end, we have formulated and implemented information protection policies and systems. We aim to mitigate cybersecurity risks by complying with international information security standards and codes of ethics, and to manage risks by improving the level of trust with external stakeholders in information security.

In 2023, we revised our Information Security Regulations to systematize information protection, and according to Article 4 of the Information Security Regulations, we have obtained approval from the Chief Information Security Officer (CISO) and disclosed it publicly. The main revisions include the application of mandatory requirements for administrative and technical control items as per the Information Security Management System (ISMS)* and changes to the operation and management of the information protection working-level group. Additionally, a cloud management guideline was established in accordance with the transition of the company's business systems to the Amazon Web Services (AWS) cloud. Our information protection policy and related regulations are posted on the groupware policy bulletin board for all employees to access and read.

In November 2023, SK D&D obtained ISMS certification for the corporate website and the ‘Episode’ website to strengthen the level of information security, while upgrading internal policies and systems. By voluntarily obtaining this certification, we have created a more secure customer service environment, and will continue to strive to improve information security and trust.

*ISMS(Information Security Management System): A system under which the Korea Internet & Security Agency certifies that a series of measures and activities for information protection meet the certification criteria

Information Protection Implementation Framework

Information Protection Management Organization

SK D&D operates an Information Protection Committee as the top decision-making body for ensuring systematic implementation of information security management activities. The committee convenes at least annually to review and make decisions on key issues related to establishing company information security policies and control procedures and operating corporate secrets security tasks. The committee consists of IT/security experts and the Chief Information Security Officer (CISO) is appointed as the chair of the committee. The CISO, as a C-level executive delegated authority by the CEO for policy review and approval, is responsible for formulating information security strategies, ensuring swift responses, and reporting deliberations and decisions of the Committee to the CEO.

To facilitate the effective information security operations of the Information Security Committee, we conduct quarterly Information Protection Working-Level Council meetings, chaired by the Information Security Manager. These meetings involve participation from practitioners responsible for information security, personal information protection, and HR/physical security, aiming to strengthen the overall information security system across the organization. The Platform Infra Part, an information security department, executes annual information security action plans, conducts inspections for preventing security incidents, and manages post-incident responses. Additionally, it collaborates with relevant departments such as Legal Affairs and Business, as needed, to advance internal information security activities.

Information Protection Organization

Information Protection Risk Analysis and Evaluation

SK D&D conducts regular information security audits to maintain the level of information security required by information protection policies and to prevent security breaches in advance. In 2023, in accordance with ISMS certification standards, we analyzed the information security risks and vulnerabilities across the entire security system and assessed the risk levels. The evaluation identified deficiencies in 12 areas and 82 items in total, and mitigation measures for the deficiencies in each area have been completely implemented. Moreover, the effectiveness evaluation of the operational status of information protection system resulted in a score of 86.4 (Information Security Level: Excellent), showing improvement compared to the previous year.

Risk Analysis Process

2023 Information Protection Risk Analysis Results

2023 Information Protection Improvement Outcomes

Category20222023Note
Level of information protection53.8 points (Inadequate)86.4 points (Excellent)32.6 points up from the previous year

Information Security Compliance

CategoryUnit202120222023
No. of information security breaches/incidents*Cases000
Total amount of information security-related fines or penaltiesKRW 1 million000
  • *Excluding personal information protection-related breaches/incidents

Internalization of Information Protection

Information Protection Practices

SK D&D conducts regular security checks on daily operations to raise the security awareness of employees and notifies them of any vulnerabilities and breaches that occur. We build a culture of information protection by distributing guidelines on daily security and information protection practices through a quarterly newsletter, and share the results of our everyday security inspections of the company’s work environment with employees. In addition, in the event of spam emails or Office-related vulnerabilities, we promptly inform employees of the situation to enable appropriate responses and prevent major information security incidents.

10 Rules for Information Protection

Information Protection Investments and Training

SK D&D annually implements investments in information protection to enhance company-wide information security systems, while also expanding investments in the information technology as we pursue IT/data-based solutions and platforms businesses. In 2023, the ratio of information protection investments to total information technology investments at SK D&D reached 4.7%. We are committed to continually investing in information protection to ensure the security of our customers' and company's information.

Additionally, SK D&D conducts annual information security training to help employees understand the importance of information security, foster a sense of responsibility, and enhance their security capabilities. In 2023, we provided a total of 231 hours of online information security training to all employees. Moreover, in compliance with information protection regulations, all employees are required to sign an annual information protection pledge, reaffirming their commitment to adhering to relevant laws and internal regulations and their dedication to practicing information security.

Information Protection Investments

CategoryUnit202120222023
Investments in information technology (A)KRW 1 million6,62013,12014,108
Investments in information protection (B)KRW 1 million6551,101667
Information security investment ratio (Ratio of B to A)%9.98.44.7

Security Incident Prevention and Response

As part of our efforts to prevent security incidents and strengthen information protection, we conduct annual security incident prevention training such as spam email simulation training and mock hacking exercises. Spam email simulation training is given to all employees to prevent incidents such as company’s data leaks or business interruption caused by spam email or ransomware, aiming to enhance employee security awareness. Mock hacking exercises are conducted to prevent damage from security incidents and improve security perception for company-wide systems, applications, and business-related IT infrastructure used by employees.

In addition, we operate an IT helpdesk channel to promptly receive and address IT/security issues raised by employees, and maintain business continuity planning and response procedures to prevent and quickly respond to information security incidents. In addition, we regularly check the effectiveness of our security issue response procedures by conducting IT business continuity mock training and crisis response training at least once a year.

2023 Spam Email Simulation Training Outcomes

TargetOutcomesAction Plan
264 persons (all employees)Spam email open rate: 28% (74 persons)Separate information protection training provided to 74 employees to address individual security vulnerabilities

Personal Information Protection

Personal Information Protection Activities

SK D&D has established and disclosed a Privacy Policy in accordance with Article 30 of the Personal Information Protection Act. This policy outlines the rights and obligations of the information subjects and provides detailed information about our Chief Privacy Officer (CPO) and personal information security officers. We continuously review and revise our Privacy Policy to reflect changes in laws, regulations or security technology, and keep all updated versions of the Privacy Policy accessible in archive format on the company's webpage and the 'Episode' webpage. This allows information subjects to check when the revised policy is implemented and what has changed.

SK D&D conducts mandatory personal information training to protect personal information and prevent information leakage through Platform Infra Part, the personal information protection department. We also strive to protect the personal information of employees by collecting personal information processing agreements from employees every year. Additionally, we perform regular system checks based on the SK Group Security Guidelines to resolve vulnerabilities and invest in personal information masking and encryption to prevent data breaches. Furthermore, we have subscribed to and renew annually a personal information protection liability insurance to prepare for potential customer information leaks related to our rental housing business(‘Episode’).

Personal Information Protection Compliance*

CategoryUnit202120222023
No. of privacy-related information security breaches/incidentsCases000
Total amount of privacy-related fines or penaltiesKRW 1 million000
No. of complaints filed regarding breaches of customer privacy and loss of customer dataCases000
No. of proven customer data breaches, thefts, or lossesCases000
Customers impacted by the data breachesPersons000
  • *There have been no complaints received related to personal information protection, leakage, theft, or loss