'23년 결산배당 조회서비스
※ 운영기간 : '24년 4월 1일 9:00 ~ '24년 4월 30일 24:00
The company complies with legal and regulatory requirements, ensuring the protection of information assets from internal and external security threats through the implementation of personal data protection practices, as outlined in this policy.
The company aims for zero occurrences of data breaches, safeguarding both information assets of the company and personal data of clients.
Data Protection Officer (DPO) and Data Protection StructureAn executive with expertise in IT and data protection is appointed as the Data Protection Officer (DPO), responsible for overseeing and guiding data protection efforts.
The DPO establishes and continuously improves a data protection framework, ensuring its effectiveness through regular evaluation.
To assist, the DPO designates a Data Security Supervisor with relevant knowledge and experience among team leader-level managers to manage data protection tasks, also appointing area-specific leaders (personnel, physical, and technological security) to ensure comprehensive oversight.
Additionally, the DPO organizes a security audit team to inspect the implemented policies and ensure compliance with relevant regulations, such as the Personal Information Protection Act. This team addresses any gaps identified during audits, ensuring that corrective actions are applied and monitored for continuous improvement.
Information Assets and Information Systems ProtectionsAccess to the company's information systems is granted based on job necessity, and is adjusted promptly when personnel changes occur. Users must change their passwords at least quarterly to maintain security.
To prevent unauthorized access, the company implements account and access control policies and employs various security technologies.
These include network segmentation (internal and external), restricting IP access between internal and external networks, and intrusion prevention systems to block unauthorized attempts.
Personnel Security MeasuresTo prevent information leakage, the company regularly provides data protection training, fostering security awareness among employees. Employees must comply with internal security protocols throughout their tenure.
When outsourcing tasks, access to information assets is limited to the minimum necessary, and upon the conclusion of the outsourced worker’s engagement, the company applies the same security measures as for departing employees.
Physical Security MeasuresThe company safeguards its information assets from unauthorized physical access, natural disasters, or other environmental risks by designating secure areas within its facilities. Access to these areas, such as reception zones and restricted or controlled spaces, is managed via access control devices and monitored with surveillance cameras.
Employee Security ResponsibilitiesEmployees must adhere to the company's data protection policies when using office equipment, internet, email, and shared devices. They are required to set strong passwords for office computers and run regular antivirus scans to ensure systems remain secure.
Employees should not install unauthorized software or download files from unknown sources. Any suspicious emails should be reported immediately, unopened, to avoid security risks.
To prevent data leakage, employees are prohibited from using external email services, instant messaging platforms, or cloud storage services that are not authorized by the company.
Personal Data ProtectionTo safeguard the personal data of both clients and employees, the company assigns a Personal Data Protection Manager (PDPM) to oversee all personal data-related activities.
The PDPM establishes protocols to prevent data corruption, leakage, or unauthorized provision of personal data. Technological protections include access controls for data processing systems, access logging, and data encryption.
Employees with access to personal data receive annual training on relevant laws, internal policies, and procedures for handling data breaches. If any deficiencies are identified during monitoring, corrective plans must be developed and implemented under the leadership of responsible team heads.
Data Security Incident ResponseTo respond promptly to potential data breaches, the company has established an incident response protocol.
In the event of a breach, the DPO convenes the Data Security Incident Response Team to analyze the incident, report to relevant authorities, and implement measures to contain and resolve the issue. The team identifies the extent of the breach, eliminates the cause, and ensures recovery. Post-incident, the DPO enhances the response system and introduces measures to prevent recurrence.
Management of Information Protection PolicyThe DPO is responsible for creating detailed guidelines to enforce this policy, which is regularly reviewed to ensure its validity.
Changes in the organizational strategies, enactment/amendment of information protection-related laws, and material changes in the broader security environment are reflected in the Information Protection Policy and guidelines which may be a subject to a creation/ammendment, if deemed necessary upon a validity review, signed off by Representative Director.
| Operational Activities | Execution Plans | Schedule |
|---|---|---|
| Security Audit and Personal Data Protection | Conduct end-user security audits and ensure compliance with personal data protection policies | Four times a year |
| Review the personal data collected and lawful consent receipt/ check the personal information disposed | 2Q / 3Q | |
| Protection of Information Asset | Strengthen monitoring of the data exported from D-cloud server | Quarterly |
| Tighten monitoring of the data export authorized personnel in D-cloud server | Quarterly | |
| Conduct malicious email simulation drills (aligned with HD) | 3Q | |
| Information Protection Training for All Employees | Provide training for first-line managers on their security responsibilities | H1 |
| Deliever company-wide online data protection training | H2 | |
| Public Disclosure of Information Protection | Disclose information related to information protection investments and engagement in 2022 | June |
