Social Information
Security

Social Information
Security

Information Security

Due to the changes in business and information technology, information security issues are constantly evolving. In order to effectively respond to the evolving information security issues, organizations need to proactively strengthen their information security systems. Especially given that information is an intangible asset with inherent value and that organizations create business by sharing information internally and externally, it is important to understand the flow of information in the process of operations and accurately identify points where information security risks may occur.

Hyosung TNC has established information security regulations and operational standards to prepare for information security risks arising from external cyber threats or internal data leaks. They have also established an organizational structure for monitoring and enforcing these regulations. Additionally, we engage in various activities such as security log reviews and the implementation of multifunction devices with security solutions to prevent the leakage of critical internal information.

  • Information Security Organizational Structure

  • Information protection policies and processes button
    • To minimize the information security risks related to business, we have established information protection policies that define the responsibilities and roles of each organization. These policies have been approved by top management and published throughout the organization.
    • In order to effectively perform risk mitigation activities outlined in the information protection policies, we have established processes for planning, approval, execution, and monitoring.
    • We continuously monitor changes in domestic and international information security-related laws and requirements and incorporate them into our information protection policies and processes.
    See below
    Security management
    • Personnel and physical security
    • Business continuity
    • Security incident response
    • Personal data protection
    • Information asset manage-ment
    Monitoring
    • Information protection Compliance checks
    • IT infrastructure Security management
    Security disciplinary action
    • Security disciplinary action Operating standards
  • Information security organization button
    • Information Security Chief Officer (CISO) and security personnel who handle information security in addition to their regular duties have been appointed. They collaborate with the holding company's security team to ensure effective execution of the holding company's information security policies within the affiliate companies.
    • Each business site has a security manager, and each team has a team security manager to facilitate the effective dissemination of information security policies and activities to the field. They also serve as points of contact for receiving and addressing information security issues and security incidents in the field.
    • In cases of requiring support from related departments, an Information Security Committee (non-standing) is convened, which includes departments such as HR, General Affairs, Legal Affairs, and IT. Each department's roles and responsibilities are clearly defined for collaboration.
  • Enhancement of employee information security awareness button
    • We conduct online information security training for all employees once a year, and we also provide offline training for departmental security personnel once a year. We communicate changes in information security policies and security incident prevention guidelines through the company-wide bulletin board and groupware pop-up notifications.
    • We conduct simulated training for malicious emails twice-a-year to ensure that employees are aware of how to respond when they receive suspicious emails, thus enhancing awareness and preparedness for security incidents.
    • We encourage a new hires and employees who are about to retire to sign an information security pledge, fostering a heightened awareness on information security.
    Type Candidates Frequency
    Email/company-wide bulletin board announcements All employees As needed
    Creation of groupware pop-up windows All employees Once a day
    Offline training for responsible personnel Information security personnel within each department Once a year
    E-learning training for all employees All employees Once a year
  • Personal information protection button
    • We constantly monitor changes in personal data protection-related regulations and respond accordingly to revised provisions.
    • We conduct annual personal data protection training for individuals who handle personal information.
    • We maintain access records for personal information and regularly verify whether personal information that has exceeded its retention period has been properly disposed of to ensure the safe protection of personal information held by the company.
    Move to Privacy Policy
  • Designation and management of protected areas button
    • We designate restricted areas in places such as offices, research labs, and factories where unauthorized access by outsiders is to be controlled. We install access systems that use ID cards or fingerprints at entry points to manage access records.
    • In places where strict access control is particularly necessary, such as computer rooms, we designate them as controlled areas and deploy security personnel or install CCTV cameras.
    • Unauthorized removal of company assets, the introduction of personal PCs or storage media without prior notification is prohibited.
  • Ongoing security monitoring and incident response button
    • To prevent cyber security incidents such as hacking, we conduct 24-hour security monitoring through the deployment of security team members and external security monitoring professionals.
    • We prioritize applying domestic and international intrusion incident information to Hyosung's security equipment to prevent the recurrence of the same intrusion incidents. We promptly detect signs of anomalies through real-time monitoring.
    • We have established security incident response procedures, established an emergency contact network, and have a system in place to respond promptly to security incidents.
  • Access control button
    • Hyosung TNC applies differentiated access control policies for a regular users and system administrators to block unauthorized access.
    • When accessing internal business systems remotely, such as when working from home or on business trips, we use VPNs to encrypt communication segments for the protection. We also minimize the risk of cyber security incidents such as leakage of account information by applying two-factor authentication using individual OTP (One-time Password).
    • Access to information system servers is restricted by IP address, in addition to operator IDs, and OTP authentication is applied. Server commands are logged to prevent security incidents and to promptly identify the circumstances of incidents.
  • Unified log management button
    • We manage logs generated by servers, network equipment, application programs, and firewall logs from security solutions in a consolidated manner to prevent log loss and changes. We store logs in a secure manner.
    • We use Security Information & Event Management (SIEM) solutions to generate the alerts immediately when behavior exceeding threshold values occurs. We periodically adjust SIEM rules and threshold values.
  • Security reviews and vulnerability assessments button
    • When introducing a new information systems or making changes, we minimize risks through a security review process.
    • We also conduct security reviews when changing network control policies, such as an external openings of web servers, to minimize unauthorized access.
    • For information systems, including servers, network equipment, and applications, we perform annual security vulnerability assessments and address any discovered vulnerabilities.
  • Secure PC usage button
    • User PCs are equipped with security programs, including antivirus software, to protect against malicious code attacks such as ransomware.
    • Within the company, access to malicious IP and URLs is blocked, and access to sites unrelated to work, such as P2P sites, is restricted.
    • We use media control programs to limit unauthorized copying of files stored on PCs using USB drives, and we also monitor data loss prevention (DLP) using a DLP solution to prevent illegal internal information leakage.
  • Document centralization system button
    • Hyosung TNC introduced an Enterprise Content Management (ECM) system in 2019, which shortens document search times, alleviates document sharing and collaboration constraints, and eliminates the possibility of information leakage in the document distribution process.
      This system has been implemented across all affiliated companies to support an advanced way of working. This enables the establishment of consistent document security policies across the entire workplace and ensures visibility throughout the entire document distribution process.
    • Even during remote work, employees can conveniently access necessary documents through the ECM system, contributing to improved productivity.
    • We apply the "need-to-know" principle to ensure that unauthorized personnel cannot access documents by default, and we provide the functionality to specify detailed access permissions additionally.
    • For document exports, we have introduced pre-approval procedures to restrict the unauthorized export of documents.
    See below
    Centralization of documents (ECM)
    • 01 Document assetization
    • 02 Integration and systematization of electronic documents
    • 03 Sharing and utilization
    • Enhancing collaboration through original document management
    • Assetization of documents/contents
    • Accumulation of core competencies/competitiveness
    • Strengthening security and changing the methods
    Storage and export control
    • Implementation of document export control system
    • Access control by role and document class
    • Establishment of document monitoring system
    • PC storage control
    • Important documents cannot be stored on PCs.
    • All documents are managed in ECM.
    • Eliminating the risk of document loss
    • Export control
    • Only approved documents can be exported.
    • Dual control for export channels (USB, email, printing)
    • Document classification
    • Definition of grades based on document importance
    • Definition of search and viewing permissions based on grades
    • Access control by role
    • Definition of job scope by user role
    • Prevention of unauthorized document access for system administrators
    • Post-log analysis
    • Management of history (logs) of all document-related actions
    • Periodic sampling based on key departments, task performers, and abnormal behavior detection/actions
  • Establishment of external collaboration systems button
    • Hyosung collaborates with the Korean Association for Industrial Technology Security to provide services such as conferences, the latest security trend newsletters, security and consulting services to member companies. Hyosung maintains ongoing communication and builds a collaborative framework with the Korean Association for Industrial Technology Security and its member companies to enhance the level of technology protection and security incident response, align with government policies and global trends, and execute security policies accordingly. In 2021, in recognition of Hyosung’s efforts to protect industrial technology, it was awarded the commendation of the Minister of Trade, Industry and Energy in commemoration of ‘Industrial Technology Security Day’.”