KOR Open menu
Close menu

Information Security

SK Square promotes the establishment and dissemination of information security principles, the operation of an information security organization, and information security training in order to protect the company’s information as well as that of customers.

Information Security Policy

SK Square has established and shared the Information Security Regulations to protect the business and customer information collected during the business process. The Information Security Regulations apply to all employees and include the principles for internal information management and cyber security compliance, and stipulate information security management system operating standards for systematic management of information assets.

Information Security Regulations

  • Information security management system operating standards for systematic management of information assets, etc.

ISO27001
(Information Security Management System Certification)

Information Security Regulations
  • Information security management system operating standards for systematic management of information assets, etc.
ISO27001
(Information Security Management System Certification)

Status of Information Security Policy Establishment for Major Subsidiaries

Proportion of subsidiaries with established information security policies
Unit %
2024 1001)
Category Unit 2024
Proportion of subsidiaries with established information security policies % 1001)

1) Seven major consolidated subsidiaries as the basis for assessment (11STREET, ONE store, SK planet, Dreamus Company, TMAP Mobility, FSK L&S, Incross)

Information Security Organization

SK Square has appointed an executive-level Chief Information Security Officer (CISO), who oversees and manages duties related to the company's information security, including the establishment of information security policy, organization and operation of the Information Security Committee, analysis and management of risks, and response to security incidents and recovery.

[CEO] [Information Security Committee Head of Information Security (executive) Head of HR (executive) Head of Legal Affairs (executive) Head of Ethical Management Information Security/IT Managers] [Information Security (organization) CISO (executive)] [
  • IT Manager(PL)
  • Information Security Manager(PL)
  • Physical Security Manager(PL)
]

Key Roles

Category Key roles
Information Security Committee Discuss and coordinate information security policies and related issues
CISO Oversee information security, including establishing information protection policies and detailed action plans and responding to and recovering from security incidents
Working-level managers
(IT, information security, physical security)
Execute the information security action plans and respond to security incidents.
Category Key roles
Information Security Committee Discuss and coordinate information security policies and related issues
CISO Oversee information security, including establishing information protection policies and detailed action plans and responding to and recovering from security incidents
Working-level managers
(IT, information security, physical security)
Execute the information security action plans and respond to security incidents.

Information
Security
Incident
Response
System

SK Square has built and operates a robust information security risk management system to protect information from external threats and prevent internal data leaks. To proactively respond to the rapidly changing security threat landscapes, SK Square has implemented multi-layered security solutions, including endpoint security, monitoring security, network security, data security, and system security, supported by a 24/7 real-time monitoring system. To systematically prevent and respond to information security incidents, SK Square utilizes various solutions to detect and address threats at an early stage. Through a phased response system, the company has established swift and efficient processes for incident recognition and response. In the event of an incident, the Information Security Department assesses the impact and severity level of the incident and established response plans based on its severity to take prompt action. By operating this comprehensive information security risk management system, SK Square ensures the safe protection of critical information assets for both customers and the company while contributing to the establishment of a sustainable business environment.

Phased Information Security Incident Response System

Prevention
Action Plan
Threat detection
  • 24/7 real-time monitoring system operation
  • Operation of multi-layered security solutions (endpoint, network, data security, etc.)
  • Regular vulnerability scans and assessments
Prevention measures
  • Dissemination of security policies and guidelines
  • Regular training and education for employees
Incident response
Action Plan
Incident recognition
  • Monitoring and checking security events and alerts
  • Immediate reporting of incidents to relevant departments and officer
Incident response
  • Isolation of affected systems and implementation of measures to prevent further damage
  • Identification of the cause and scope of impact of the incident
  • Development and execution of response plans based on severity levels
Follow-up management
  • Preparation of incident analysis reports and reporting to management
  • Establishment and implementation of recurrence prevention measures
  • Improvement of security systems and policies
Stage Action Plan
prevention Threat detection
  • 24/7 real-time monitoring system operation
  • Operation of multi-layered security solutions (endpoint, network, data security, etc.)
  • Regular vulnerability scans and assessments
Prevention measures
  • Dissemination of security policies and guidelines
  • Regular training and education for employees
Incident response Incident recognition
  • Monitoring and checking security events and alerts
  • Immediate reporting of incidents to relevant departments and officer
Incident response
  • Isolation of affected systems and implementation of measures to prevent further damage
  • Identification of the cause and scope of impact of the incident
  • Development and execution of response plans based on severity levels
Follow-up management
  • Preparation of incident analysis reports and reporting to management
  • Establishment and implementation of recurrence prevention measures
  • Improvement of security systems and policies

Status of Information Leakage Damage

Number of data leaks or breaches
Unit Case
2022 0
2023 0
Category Unit 2022 2023
Number of data leaks
or breaches
Case 0 0

Roadmap for Improving Information Security Incident Response System

2023~2024 Stabilize information security system Establish information security system Obtain information security certification 2025~2026 Improve information security system Raising Employees’ Information Security Awareness Continuing to achieve zero information leakage incidents 2027~ Secure a global-level of information security management system

Information Security Management System

SK Square strives to enhance the credibility of the company by protecting its own information but also the information of various stakeholders, including customer data. . To maintain its ISO 27001 certification, the international standard for Information Security Management Systems (ISMS), SK square conducts follow-up audits (annually) and renewal audits (every three years) through an independent third-party organization. These audits are based on 144 detailed items across 14 areas of information security management, including information security policy, communication and operation, access control, and information security incidents. Additionally, SK Square conducts an annual security diagnosis organized by SK Group’s SUPEX Council to review its information security policies and systems. In 2024, the company received a “Good” rating in the SUPEX Council’s assessment of its security management.

Information Security Management System Certification Status (Including Major Subsidiaries)

Business Division
(Major Consolidated Subsidiaries)
Certification Type1) Certification Scope
Investment Business
SK Square ISO 27001 Information security management systems related to portfolio management
Coverage
87.5%2)
Commerce Business
11STREET ISO 27001 11STREET Service Operations
ISO 27701
ISMS-P
Coverage
87.5%2)
Platform Business
ONE store ISMS-P App Market Service Operations
SK planet ISMS External Services such as T Coloring and T Academy
ISMS-P Ok Cashbag, Syrup
Dreamus Company ISMS-P FLO and RVER Service Operations
Coverage
87.5%2)
Mobility Business
TMAP Mobility ISMS Chauffeur Services, Payment Services, Public Transportation, etc.
ISMS-P Full Service Operations of TMAP Mobility
Coverage
87.5%2)
Others
Incross ISMS Online Advertising Service Operations (Dawin, j-cast, cm)
Coverage
87.5%2)
Business Division
(Major Consolidated Subsidiaries)
Certification Type1) Certification Scope Coverage
Investment Business SK Square ISO 27001 Information security management systems related to portfolio management 87.5%2)
Commerce Business 11STREET ISO 27001 11STREET Service Operations
ISO 27001
ISMS-P
Platform Business ONE store ISMS-P App Market Service Operations
SK planet ISMS External Services such as T Coloring and T Academy
ISMS-P Ok Cashbag, Syrup
Dreamus Company ISMS-P FLO and RVER Service Operations
Mobility Business TMAP Mobility ISMS Chauffeur Services, Payment Services, Public Transportation, etc.
ISMS-P Full Service Operations of TMAP Mobility
Others Incross ISMS Online Advertising Service Operations (Dawin, j-cast, cm)

1) ISMS-P is a certification system in which the Korea Internet & Security Agency proves that a series of measures and activities related to information security and privacy protection comply with certification standards, including ISO 27001 certification items

2) Excluding FSK L&S, which provides logistics BPO services

External independent audit

SK Square conducts regular external independent audits of its information protection policies and overall cybersecurity to ensure systematic management of information protection and security. As part of the ISO 27001 certification renewal process for our Information Security Management System, external professional organizations review the adequacy of our information protection policies and management systems. In addition, we regularly conduct vulnerability analysis and assessments in collaboration with external experts to proactively respond to security threats. SK Square will continue to advance its information protection and security management systems through close collaboration with external expert.

Category Expert verification Verification frequency
Information security management system Verification of the adequacy of management systems including information protection policies through the ISO 27001 certification renewal process Annual basis
Cyber security Verification of information security level through information security vulnerability analysis and assessment processes
Category Expert verification Verification frequency
Information security management system Verification of the adequacy of management systems including information protection policies through the ISO 27001 certification renewal process Annual basis
Cyber security Verification of information security level through information security vulnerability analysis and assessment processes

Information Security Monitoring

SK Square carries out information security monitoring activities to check compliance with the information security policy and processes and whether information security activities are implemented.

Information Security Monitoring Activities

[Diagnosis & Audits]
Diagnosing security policy and process implementation (annually)
Security diagnosis for information system (annually)
Audits of information security policies and systems by the group audit organization (annually)
[Training & inspection]
Breach response training such as DDOS simulation training (annually)
Detection of events such as malicious mail and malicious code inflow (as needed)
Mail security, file import / export, print security check (monthly)
PC security check (as needed)

Status of Information Security Incident Response Training and Monitoring

Company’s own information security training sessions
Unit Session
2022 1
2023 1
Company’s own information security monitoring / checks
Number of detected events* Number of actions taken for issues
Unit Event Action
2022 752 7
2023 585 9
Category Unit 2022 2023
Company’s own information security training sessions Session 1 1
Company’s own information security monitoring / checks Number of detected events* Event 752 585
Number of actions taken for issues Action 7 9

* Large file upload / download, server communication, etc.

Personal Information Management

The nature of the company's business does not necessitate directly collecting personal information from customers. If necessary, SK Square manages the information in an organized manner based on its privacy policy and detailed guidelines. When collecting personal information, relevant individuals are clearly informed of the purpose and asked to provide their consent. The collected personal information is destroyed once the purpose has been achieved to minimize the risk of unnecessary retention. The SK Square privacy policy can be found at the bottom of the company's website (www.sksquare.com). In addition, we conduct security assessments, which also cover aspects associated with personal information protection, of our subsidiaries to proactively identify and respond to privacy risks.

Personal Information Management System

Collection and Use of Personal Information
  • Specification of collected items, purposes, processing methods, and retention periods (Privacy Policy Article 1, Paragraph 1)
  • Restriction on use beyond purposes
  • Consent requirement for changes in purposes of use (Personal Information Protection Act Article 18)
  • Compliance with legally stipulated or consented retention periods
  • Legal guardian consent requirement for children under the age of 14
Management of Personal Information
(Deletion, Correction, Supplementation, Change Requests, etc.)
  • Guarantee of right to request access to personal information (Privacy Policy Article 9, Paragraph 3)
  • Guarantee of data subject’s right to self-determination (Privacy Policy Article 10, Paragraph 2)
Access Control for Personal Information
  • Management of work-related information via virtual desktops with access control for non-employees
  • Restriction of data access via document passwords and server access controls
Mechanism for Raising Concerns Related to Personal Information
  • Operation of inquiry channels for personal information protection-related issues, complaints, and remedies through the personal information protection officer and relevant departments
  • Specification of the personal information protection officer and contact information, including phone number and e-mail (Privacy Policy Article 9, Paragraph 1)
Provision of Personal Information to Third Parties
  • Prohibition on provision of personal information to third parties without the data subject’s opt-in or legal basis (Privacy Policy Article 2, Paragraph 1)
Deletion of Personal Information
  • Specification of a two-year retention period in Privacy Policy Article 1, Paragraph 1
  • Specification of deletion procedures and methods for personal information after retention period expiration (Privacy Policy Article 4, Paragraphs 1 and 3)
Category Description
Collection and Use of Personal Information
  • Specification of collected items, purposes, processing methods, and retention periods (Privacy Policy Article 1, Paragraph 1)
  • Restriction on use beyond purposes
  • Consent requirement for changes in purposes of use (Personal Information Protection Act Article 18)
  • Compliance with legally stipulated or consented retention periods
  • Legal guardian consent requirement for children under the age of 14
Management of Personal Information
(Deletion, Correction, Supplementation, Change Requests, etc.)
  • Guarantee of right to request access to personal information (Privacy Policy Article 9, Paragraph 3)
  • Guarantee of data subject’s right to self-determination (Privacy Policy Article 10, Paragraph 2)
Access Control for Personal Information
  • Management of work-related information via virtual desktops with access control for non-employees
  • Restriction of data access via document passwords and server access controls
Mechanism for Raising Concerns Related to Personal Information
  • Operation of inquiry channels for personal information protection-related issues, complaints, and remedies through the personal information protection officer and relevant departments
  • Specification of the personal information protection officer and contact information, including phone number and e-mail (Privacy Policy Article 9, Paragraph 1)
Provision of Personal Information to Third Parties
  • Prohibition on provision of personal information to third parties without the data subject’s opt-in or legal basis (Privacy Policy Article 2, Paragraph 1)
Deletion of Personal Information
  • Specification of a two-year retention period in Privacy Policy Article 1, Paragraph 1
  • Specification of deletion procedures and methods for personal information after retention period expiration (Privacy Policy Article 4, Paragraphs 1 and 3)

Security Diagnosis for Subsidiaries

SK Square conducts personal information security and IT security reviews annually to ensure strict security preparedness in its subsidiaries and manage security risks. This process allows us to identify vulnerabilities, recommend improvements, and monitor progress. In 2023, we tightened the criteria for these diagnoses in line with recent legal amendments and conducted security assessments for eight subsidiaries: 11STREET, ONE store, Dreamus, SK planet, TMAP Mobility, incross, Content Wavve, and FSK L&S. Starting in 2024, we will implement in-depth diagnostics to examine the security management systems at the group level.

Awareness Improvement

SK Square conducts information security training and change management to raise its employees' awareness of information security. We strive to ensure that training feedback is applied to the next training in order to conduct training in consideration of the characteristics of the employees.

Information Security Training Target and Frequency

Information Security Training
Training Frequency At least once a year
Training Target Permanent /
Contract employees
Malicious Email Simulation Training
Training Frequency As needed
Training Target Permanent /
Contract employees
Breach response training, such as DDOS simulation training
Training Frequency Annually
Training Target Permanent /
Contract employees
Category Training Frequency Training Target
Information Security Training At least once a year Permanent / Contract employees
Malicious Email Simulation Training As needed Permanent / Contract employees
Breach response training, such as DDOS simulation training Annually Permanent / Contract employees

Performance of Information Security Training

Percentage of employees participating in information security training
Unit %
2022 93
2023 92
Information security training hours per person
Unit Hour
2022 1
2023 1
Category Unit 2022 2023
Percentage of employees participating in information security training % 93 92
Information security training hours per person Hour 1 1