KOR Open menu
Close menu

Information Security

SK Square promotes the establishment and dissemination of information security principles, the operation of an information security organization, and information security training in order to protect the company’s information as well as that of customers.

Information Security Policy

SK Square has established and shared the Information Security Regulations to protect the business and customer information collected during the business process. The Information Security Regulations apply to all employees and include the principles for internal information management and cyber security compliance, and stipulate information security management system operating standards for systematic management of information assets.

Information Security Regulations

  • Information security management system operating standards for systematic management of information assets, etc.
Information Security Regulations
  • Information security management system operating standards for systematic management of information assets, etc.

Information Security Organization

SK Square has appointed an executive-level Chief Information Security Officer (CISO), who oversees and manages duties related to the company's information security, including the establishment of information security policy, organization and operation of the Information Security Committee, analysis and management of risks, and response to security incidents and recovery.

[CEO] Information Security Committee Information security organization head (executive) HR Team Leader Legal Affairs Team Leader Ethical Management Team Leader IT Manager CISO Information security organization head (executive) IT Manager Information Security Personnel Physical Security Manager IT Project Leader Information Security Project Leader Physical Security Project Leader

Information
Security
Incident
Response
System

SK Square operates the Information Security Incident Response System to specify procedures and responsibilities for responding to information security incidents and customer information breaches, take prompt measures and minimize risks to the company.

Phased Information Security Incident Response System

Incident recognition
Action Plan
  1. Report the incident to the head of the department and the information security department immediately upon recognizing the incident
  2. The information security department immediately notifies the Chief Information Security Officer (CISO) and the head of the department in charge upon recognizing the incident, and the CISO immediately notifies the relevant department / company managers, such as the CEO and holding company executive.
Incident response
Action Plan
  1. When confidential / personal information is exposed, immediately restrict the service and exposure route, switch to service standby, and eliminate the cause.
  2. The information security department first determines the level of incident impact and severity, and after disseminating the situation to the target according to the severity level, a comprehensive information security control room (hereinafter referred to as the “control room”) is formed.
  3. In case of Severity 1 or 2, the information security department should report the impact and response status to the CISO.
  4. The situation manager should identify the breach damage and the scope of impact, establish a recovery plan, take action promptly, and report the incident damage and action results to the CISO.
  5. The information security department should analyze the cause of the breach and implement technical and administrative measures.
  6. If necessary depending on the damage and impact, the CISO operates a company-wide security incident response organization through consultation with the head of the company-wide RM organization and reports the progress and results to the CEO.
  7. When external cooperation is required as with the government or investigative agencies, the CISO designates a communication department, and the communication department reports progress and results to the CISO.
Follow-up management
Action Plan
  1. The information security department shares the result report with related organizations and employees and reports the plan to prevent recurrence of similar incidents to the CISO
  2. If necessary, prepare guidelines for prevention of recurrence and distribute and share them with our affiliates and those companies in which we have invested
Stage Action Plan
Incident recognition
  1. Report the incident to the head of the department and the information security department immediately upon recognizing the incident
  2. The information security department immediately notifies the Chief Information Security Officer (CISO) and the head of the department in charge upon recognizing the incident, and the CISO immediately notifies the relevant department / company managers, such as the CEO and holding company executive.
Incident response
  1. When confidential / personal information is exposed, immediately restrict the service and exposure route, switch to service standby, and eliminate the cause.
  2. The information security department first determines the level of incident impact and severity, and after disseminating the situation to the target according to the severity level, a comprehensive information security control room (hereinafter referred to as the “control room”) is formed.
  3. In case of Severity 1 or 2, the information security department should report the impact and response status to the CISO.
  4. The situation manager should identify the breach damage and the scope of impact, establish a recovery plan, take action promptly, and report the incident damage and action results to the CISO.
  5. The information security department should analyze the cause of the breach and implement technical and administrative measures.
  6. If necessary depending on the damage and impact, the CISO operates a company-wide security incident response organization through consultation with the head of the company-wide RM organization and reports the progress and results to the CEO.
  7. When external cooperation is required as with the government or investigative agencies, the CISO designates a communication department, and the communication department reports progress and results to the CISO.
Follow-up management
  1. The information security department shares the result report with related organizations and employees and reports the plan to prevent recurrence of similar incidents to the CISO
  2. If necessary, prepare guidelines for prevention of recurrence and distribute and share them with our affiliates and those companies in which we have invested

Status of Information Leakage Damage

Number of data leaks or breaches
Unit Case
2021 0
2022 0
2023 Target 0
Category Unit 2021 2022 2023 Target
Number of data leaks or breaches Case 0 0 0

Roadmap for Improving Information Security Incident Response System

2023~2024 Stabilize information security system Establish information security system Obtain information security certification 2025~2026 Improve information security system Raising Employees’ Information Security Awareness Continuing to achieve zero information leakage incidents 2027~ Secure a global-level of information security management system

Information Security Monitoring

SK Square carries out information security monitoring activities to check compliance with the information security policy and processes and whether information security activities are implemented.

Information Security Monitoring Activities

[Diagnosis & Audits]
Diagnosing security policy and process implementation
Security diagnosis for information system
Audits of information security policies and systems by the group audit organization once a year
[Training & inspection]
Breach response training such as DDOS simulation training
Detection of events such as malicious mail and malicious code inflow
Mail security, file import / export, print security check
PC security check

Status of Information Security Incident Response Training and Monitoring

Company’s own information security training sessions
Unit Session
2021 -
2022 1
Company’s own information security monitoring / checks
Number of detected events* Number of actions taken for issues
Unit Event Action
2021 - -
2022 752 7
Category Unit 2021 2022
Company’s own information security training sessions Session - 1
Company’s own information security monitoring / checks Number of detected events* Event - 752
Number of actions taken for issues Action - 7

* Large file upload / download, server communication, etc.

Awareness Improvement

SK Square conducts information security training and change management to raise its employees' awareness of information security. We strive to ensure that training feedback is applied to the next training in order to conduct training in consideration of the characteristics of the employees.

Performance of Information Security Training

Percentage of employees participating in information security training
Unit %
2021 -
2022 93
2023 Target 100
Information security training hours per person
Unit Hour
2021 -
2022 1
2023 Target 1
Category Unit 2021 2022 2023 Target
Percentage of employees participating in information security training % - 93 100
Information security training hours per person Hour - 1 1