Creating Future Value through Transparent Management
SK networks is acutely aware of the importance of security for personal information/IT services and thus safely protects the company and customers’ information. We have various measures in place to prevent complaints related to corporate data leakage or theft, personal information leakage or theft and information protection, including but not limited to: information security instructions and guidelines; an organization dedicated to information protection tasks; a working-level consultative body joined by CISO(Chief Information Security Officer)/CPO(Chief Privacy Officer); and, employee training on information protection.
SK networks revised its regulations on personal and company information protection to manage thoroughly and safely protect all personal information handled in accordance with the revision of the three data-related government bills. The revised regulations reflect the disciplinary action to information management that has been strengthened following the liberalization of employees’ PC usage, and Personal information management of all stakeholders, including employees, external company employees, and visitors is handled under this regulation. In addition, we protect valuable information assets by preventing damages, forgeries, alteration, falsification, and leak through the regulations and rules of IT service/security management. The regulations are applied to all divisions, employees, and partners related to information and the system that collects, processes, handles, sends, stores, and manages the information in order to secure safety from various threats.
SK networks has obtained and maintained ISMS and PIMS certifications, legally obligated since 2015, and plans to newly apply for and acquire ISMS-P11) certification, an integrated certification system, as the existing certifications expire in 2021. We have established information asset identification and risk management plans for this and make it a routine to carry out a series of activities related to vulnerability diagnosis, risk assessment, risk control measures, recurrence prevention, and employee training. The company’s 3-year goal is to acquire ISMS-P certification in 2021 and maintain the certification for 2022 and 2023. We also aim to maintain the level of compliance with the Group Security Guideline, SK group’s standard security guideline, higher than the average among the affiliates.
1) ISMS-P (Personal Information & Information Security Management System)
- Legal grounds: Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., Article 32.2 of the Personal Information Protection Act, and enforcement decrees, enforcement rules, public announcements of applicable acts.
- Certification agency: Korea Internet & Security Agency (KISA) / an agency designated by the Ministry of Science and ICT
- Certification criteria: Assessment on sustained management system operation for 102 certification items
- The above certification is mandatory for companies in the Information & Communication Services sector with the previous year’s sales over KRW 10 billion or more than 1 million daily users on average during the recent 3months.
CISO/CPO Working Group
*CISO: Chief Information Security Officer
SK networks has designated a dedicated CISO(Chief Information Security Officer) at the executive level, who is prohibited from concurrently holding positions other than information protection. We also operate an Information Security Center that specializes in information protection. The CISO/CPO* Business Council operates on a quarterly basis to discuss essential information protection policies and share significant issues. We are improving the security level of subsidiaries through regular meetings with the CISOs of major subsidiaries such as SK magic and SK rent-a-car and level diagnosis based on the SK Group’s security guidelines.
*CPO: Chief Privacy Officer
*Reporting Procedure: Incident Perceiver → Senior Team Manager & Personal Information Management Division Officer → Senior Team Manager & Risk Management Division Officer → CPO & Team Manager/Executive of Relevant Division → CEO & Executive in charge of Holding Company
SK networks abides by the Personal Information Breach Response Guideline and Intrusion Incident Response Rules to respond promptly to security incidents. The incident perceiver must immediately report to the person in charge who will take actions based on the severity of the incident. We then comprehend the cause and effect of the incident to take preventive measures and impose disciplinary action based on the violator’s intention, including how much the company was affected by such behavior.
SK networks publishes information security-related regulations so that all employees can raise their awareness and conducts information security training for employees every year. In 2020, we linked the information security training to the company education platform mySUNI to conduct online training. We internalized the importance of personal information protection and security system by allowing employees who did not receive training offline to check the training materials online. In addition, we prevent information security risks and promote compliance with obligations related to personal information protection by training Walkerhill employees on the importance of personal information protection, affiliated laws and regulations, and collection, utilization, and provision of personal information.