Information security issues are constantly evolving as a result of changes in business and information technology. Hence, companies are responsible for actively strengthening their information security systems in order to effectively address evolving information security threats.

Considering that information is not a tangible asset, information itself has value, and the nature of conducting business while sharing information within and outside the organization, it is essential to identify information flow in the course of work and identify information security risks. Moreover, it is crucial to pinpoint precisely where risks may occur.

Information security policy and system

• We established the Information Security Policy outlining the responsibilities and roles of each organization, approved by the top management. We have posted the policy company-wide in order to minimize information security risks to our businesses.
• Our planning, approval, execution, and monitoring process effectively carries out the risk mitigation activities outlined in our Information Security Policy.
• Changes in domestic and international laws and requirements pertaining to information security are monitored and reflected in information security policy and system.

• Security management
  • Human resource & physical security
  • Task continuity
  • Response to security incidents
  • Privacy protection
  • Information asset management
• Monitoring
  • Information security compliance checks
  • IT infrastructure security management
• Security discipline
  • Security discipline operating standards

Information security organization (holding company)

• As an organization committed to information security, there is a security team consisting of a Chief Information Security Officer (CISO) with more than five years of experience in the field of information security and information security staff at the entry level.
• Each business site has a business site security manager and each team a team security manager, and they work together to ensure that the information security policy and activities are effectively implemented in the field. Security managers serve as a conduit for receiving information security issues and incidents from the field.
• For issues requiring support from related departments, we convene a (temporary) information security council meeting comprised of HR, general affairs, legal affairs, and IT departments. Here, the roles and responsibilities of each department are clearly defined so that they can work in cooperation.

Information security organization (business company)

• A CISO and a security manager are designated to oversee both information security and other responsibilities, and these individuals collaborate with the security team of the holding company to ensure that the holding company's information security policy is effectively implemented within the business company.
• Each business site has a business site security manager and each team a team security manager, and they work together to ensure that the information security policy and activities are effectively implemented in the field. Security managers serve as a conduit for receiving information security issues and incidents from the field.
• For issues requiring support from related departments, we convene a (temporary) information security council meeting comprised of HR, general affairs, legal affairs, and IT departments. Here, the roles and responsibilities of each department are clearly defined so that they can work in cooperation.

Increasing awareness of information security among employees

• All employees are subject to online information security training which is conducted each year, and security managers at each department receive offline training annually. Internal bulletin and groupware pop-ups are used to disseminate the updated information security policy and security incident prevention regulations.
• We promote awareness-raising activities to prevent security incidents, such as simulating email attacks every six months to train on how to respond to suspicious emails.

  Type	Target	Cycle
  Announcement via email/internal bulletin	All employees	Occasional
  Pop-ups in groupware platform	All employees	Daily
  Offline manager training	Information security managers at each department	Yearly
  Online training for all employees	All employees	Yearly

• In order to increase awareness of information security, new hires and prospective retirees are required to sign a pledge to protect sensitive data.

Privacy

• We continuously monitor the status of amendments to laws concerning privacy and respond accordingly.
• We provide personal data handlers with privacy training once a year.
• We strive to ensure the security of personal data held by our organization by maintaining access logs of such data and performing periodic audits to determine whether data whose retention period has expired has been deleted.

• Go to Privacy & Information Processing Policy

Designation and management of protected areas

• Offices, research institutes, factories, etc., are designated as protected areas where unauthorized access is restricted, and access records are managed by installing an ID card or fingerprint-based access system at the doors.
• Areas that require particularly stringent access control (e.g. computer rooms) are designated as controlled areas, with security guards deployed or surveillance cameras installed.
• It is prohibited to carry out corporate assets or carry in a personal computer or storage media without prior authorization.

Regular security surveillance and response to security incidents

• In order to prevent cybersecurity incidents such as hacking, the security team and dispatched personnel from companies specializing in security control conduct 24-hour surveillance.
• Information on domestic and foreign infringement incidents is input into Hyosung's security equipment to prevent similar occurrences, and anomalies are promptly identified through real-time monitoring.
• A security incident response procedure and an emergency communications network are established to provide a system for responding quickly to security incidents in accordance with the established procedures.

Access control

• Hyosung prevents unauthorized access by employing distinct access control policies for general users and system administrators.
• When accessing the internal business system from outside the organization, such as when working from home or traveling, the communication section is encrypted and protected by VPN. Risk of cybersecurity incidents resulting from account data leakage is also reduced by implementing two-factor authentication with a unique one-time password (OTP).
• In addition to operator ID, IP address restrictions and OTP authentication are implemented for server access to the information system, and all server-executed commands are recorded to prevent security incidents and quickly identify their causes.

Integrated log management

• Logs generated by security solutions such as servers, network equipment, application logs, and firewalls are managed cohesively in order to prevent log loss and tampering and securely store logs.
• Using the security information and event management (SIEM) solution, an alert is immediately triggered if an action exceeds the threshold value, followed by an immediate action. The SIEM rule and threshold value are periodically adjusted.

Security review and vulnerability assessment

• Risks are minimized through security review procedures when introducing and changing information systems.
• Even when network control policies are modified, such as when the web server is opened to the public, security reviews are carried out to prevent unauthorized access.
• Information systems such as servers, network equipment, and application programs are inspected annually for security flaws, and any found are patched.

Safe PC use

• Security programs such as antivirus are installed on the user's computer to protect against ransomware and other malicious code attacks.
• The company blocks access to malicious IPs and URLs and restricts access to non-work-related websites such as P2P lending sites.
• In addition, media control programs are used to prohibit the unauthorized copying of files stored on PCs to USB storage devices, and data loss prevention solutions are employed to prevent the unauthorized disclosure of sensitive data such as trade secrets.

Centralized document management system

• Hyosung reduces document search times and eliminates document sharing and collaboration restrictions. In 2019, we implemented enterprise content management (ECM) to support advanced work process and eliminate the possibility of information leakage during document distribution. Through ECM, we have established a consistent document security policy across all business sites, ensuring visibility throughout the document distribution process.
• Even when working from home, we provide an environment in which employees can access the centralized document management system and utilize work-related documents with ease, thereby enhancing the efficiency of telecommuting.
• We apply the "Need-To-Know" principle to restrict access to documents by unauthorized personnel, and provide a function that enables the specification of additional access rights.
• When taking documents out of the company, a control procedure is implemented to prevent unauthorized removal.

Enterprise content management (ECM)

1. Document assetization
2. Integration and systematization of electronic
   documents
3. Sharing and utilization

• Facilitating
  collaboration through document authenticity management
• Assetization of documents and/or content
• Accumulation of
  core capacity and
  competitiveness
• Enhancement of
  security
  and
  transition methods

Controlling document
saving and exports

• Implementation of
  document
  export
  control system

  • PC saving control

    • Important documents are not allowed to be saved in individual’s PC
    • All documents are managed in the ECM system
    • Elimination of the potential for document loss

  • Export control

    • Only approved documents are exportable
    • Two-layered control of data-exporting channels (i.e. USB, email, printing)

• Implementation of
  role- and
  document-
  level access control

  • Document class classification

    • Definition of class depending on importance of a document
    • Definition of search and access rights by document class

• Implementation of
  document
  monitoring
  system

  • Access control by role

    • Definition of task scope for each user role
    • Prevention of uncontrolled document access sources for system operators

  • Log analysis

    • History (log) management over all document-related actions
    • Periodic sampling of key departments/workers and abnormal users, identification of abnormal behaviors/measures

Establishment of an external cooperation system

• Hyosung has partnered with the Korean Association for Industrial Technology Security (KAITS), which offers member companies services such as conferences, newsletters on the newest security trends, security training, and security consulting. Through continuous exchange and cooperation with KAITS and its member companies, we intend to prevent technology leakage, improve the level of response to security incidents, and implement security policies that are consistent with government policies and global trends.
• In 2021, the Minister of Trade, Industry, and Energy presented us with a commendation on "Industrial Technology Protection Day" in honor of our efforts to protect industrial technology.