Home Icon Sustainability Social Information Security

Social

        Hyosung Group’s Information Security

        Hyosung Corporation proactively operates an information security system to prevent financial damage and cyber reputational risk caused by information leakage, hacking, and other security incidents.

        A Chief Information Security Officer (CISO) leads a dedicated team to establish information security policies and prepare response processes for potential incidents.

        An Information Security Center allows stakeholder participation and, along with a central control system, integrated log management,
        and security monitoring, helps professional personnel protect the company’s critical information assets.

        In addition, Hyosung Corporation promotes a security-embedded organizational culture through information security training for employees, partnerships with external related institutions, and security-related investments and public disclosures on security measures.

        The company also ensures transparency by publicly disclosing the details of these efforts.

        Information Security Governance

        Link Copy

        Information Security Governance Structure

        Board of Directors
        Ultimate oversight and management
        of information security
        Head of the ESG Management Promotion Committee CEO
        Approves information security
        policies and activities
        CISO
        (Chief Information Security Officer)
        Holds professional responsibility
        for information security
        Security Team

        Dedicated experts in information security

        Plans and executes information security activities

        Security Officers by Site/Department

        Support security team activities

        Support the activation and implementation of the information security system at each business site and department

        • Hyosung Corporation promotes information security initiatives under the supervision of the Chief Information Security Officer (CISO), who is appointed by the CEO. A dedicated Security Team, composed of information security professionals, is responsible for developing security policies, planning security improvement activities, and conducting information security training for employees.

        • The Security Team works in collaboration with security officers assigned to each business site and department to effectively disseminate and embed information security practices, while continuously enhancing employee awareness of security.

        • Additionally, Hyosung Corporation operates an Information Security Council, in coordination with the security units of its operating companies, to strengthen synergy in security activities across the entire group.

        Information Security Policy

        Link Copy

        Hyosung Corporation has established information security regulations and manages them through a policy framework composed of 9 operational standards and 10 implementation guidelines.

        Information Security Policy
        Policy Type Details
        Security Regulations

        Establish principles for the protection and safe use of information assets
        Operational Standards

        Includes personnel security, information asset management, business continuity, incident response, compliance checks for information protection, personal data protection, physical security, IT infrastructure security, disciplinary actions related to security, and management of video surveillance systems
        Implementation Guidelines

        Internal management of personal data, secure USB management, security log review, conducting security audits, disciplinary management for security audit violations, management of video surveillance equipment, sealing of hard disk drives, control of camera usage on mobile devices, response to security incidents

        Information Security Incident Response Process

        • Hyosung Corporation has established and operates an incident response system to ensure swift action and minimize damage in the event of an information security incident, such as a personal data breach.

        • All response outcomes are reported to the Chief Information Security Officer (CISO), who is responsible for overseeing cause analysis, corrective actions, and follow-up measures.

        • Security monitoring team IT system administrators Collaborating users
        • Security operations team Security team
        • CEO CISO
        • External bodies Cybersecurity agencies
        • 1. Detect the incident
        • 2. Report the incident
        Incident Detection
        • 3. Identify the circumstances of the incident
        • 4. Assess severity
        • 5. Submit the first report
        Initial Response
        • 6. Determine the need for external cooperation
        • Cooperation
        • 7. Create a security incident analysis team
        • 8. Analyze the incident
        • 9. Establish preventive measures
        • 10. Implementation and monitoring
        • 11. Maintain incident records
        • 12. Reporting of Incidents
        Response Strategy Development Notify related authorities
        Incident Investigation Preparation of Incident Report
        • 13. Preparation of Incident Report
        • 14. Result Submission

        Designation and management of protected areas

        • Offices, research institutes, factories, etc., are designated as protected areas where unauthorized access is restricted, and access records are managed by installing an ID card or fingerprint-based access system at the doors.

        • Areas that require particularly stringent access control (e.g. computer rooms) are designated as controlled areas, with security guards deployed or surveillance cameras installed.

        • The unauthorized removal of company property or introduction of personal computers or storage media without prior authorization is prohibited.

        Access control

        • Hyosung prevents unauthorized access by employing distinct access control policies for general users and system administrators.

        • When accessing the internal business system from outside the organization, such as when working from home or traveling, the communication section is encrypted and protected by VPN. Risk of cybersecurity incidents resulting from account data leakage is also reduced by implementing two-factor authentication with a unique one-time password (OTP).

        • In addition to operator ID, IP address restrictions and OTP authentication are implemented for server access to the information system, and all server-executed commands are recorded to prevent security incidents and quickly identify their causes.

        Centralized document management system

        ECM
        • Document assetization
        • Integration and systematization of electronic documents
        • Sharing and utilization
        • Facilitating collaboration through document authenticity management
        • Assetization of documents and/or content
        • Accumulation of core capacity and competitiveness
        • Enhancement of security and transition methods
        Controlling document saving and exports
        • Implementation of document export control system
        • Implementation of role- and document-level access control
        • Implementation of document monitoring system
        PC
        saving control

        Unable to store critical documents on PC

        All documents are managed in the ECM system

        Elimination of the potential for document loss

        Export
        control

        Only approved documents are exportable

        Dual management of outgoing channels (e.g. USB,
        e-mail, printing)

        Document class classification

        Definition of class depending on importance of a document

        Definition of search and access rights by document class

        Access
        control by role

        Definition of task scope for each user role

        Prevention of uncontrolled document access sources for system operators

        Log
        analysis

        History (log) management over all document-related actions

        Periodic sampling of key departments/workers and abnormal users, identification of abnormal behaviors/measures

        • Hyosung reduces document search times and eliminates document sharing and collaboration restrictions. In 2019, we implemented enterprise content management (ECM) to support advanced work processes and eliminate the possibility of information leakage during document distribution. We have thereby established a consistent document security policy across all business sites, ensuring visibility throughout the document distribution process.

        • Even when working from home, we provide an environment in which employees can access the centralized document management system and utilize work-related documents with ease, thereby enhancing the efficiency of telecommuting.

        • We apply the "Need-To-Know" principle to restrict access to documents by unauthorized personnel, and provide a function that enables the specification of additional access rights.

        • When taking documents out of the company, a control procedure is implemented to prevent unauthorized removal.

        Information Security Risk Assessment and Corrective Actions

        • Hyosung Corporation conducts annual risk assessments to prevent information security incidents and protect both tangible and intangible internal assets.

        • In 2024, in consideration of the company's high IT dependency and external hacking threats, a risk assessment was performed on key IT infrastructure such as servers, databases, and networks. In addition, a separate evaluation was made on externally exposed web systems, including the company website and groupware platforms.

        • As a result of the assessment, vulnerabilities such as lack of documentation were identified in some systems. Corrective actions, including documentation improvements, were implemented in phases, and a management plan was established accordingly.

        Personal Information Security

        Link Copy

        Personal Information Protection

        • We continuously monitor the status of amendments to laws concerning privacy and respond accordingly.

        • We provide personal data handlers with privacy training once a year.

        • We strive to ensure the security of personal data held by our organization by maintaining access logs of such data and performing periodic audits to determine whether data whose retention period has expired has been deleted.

        Privacy & Information Processing Policy

        Personal Information Protection & Privacy Policy Infographic Disclosure

        • Hyosung Corporation continuously monitors amendments to the Personal Information Protection Act and other relevant regulations, and regularly reviews and updates its own personal data processing policies to ensure compliance.

        • To help customers and other stakeholders better understand its privacy policy, Hyosung Corporation presents the content in the form of infographics, making it easier to intuitively grasp details such as the purpose of data collection, methods of use, and data disposal procedures.

        • Collection
        • Use
        • Provision
        • Destruction

        Information Security Activities

        Link Copy

        Regular Security Surveillance and Response to Security Incidents

        • In order to prevent cybersecurity incidents such as hacking, the security team and dispatched personnel from companies specializing in security control conduct 24-hour surveillance.

        • Information on domestic and foreign infringement incidents is input into Hyosung's security equipment to prevent similar occurrences, and anomalies are promptly identified through real-time monitoring.

        • A security incident response procedure and an emergency communications network are established to provide a system for responding quickly to security incidents in accordance with the established procedures.

        Internal Reporting & Monitoring via Information Security Center

        • Since 2024, Hyosung Corporation has operated an Information Protection Center to receive reports on issues
          such as spear phishing and malware. All reported cases are followed up promptly to prevent further spread.

        • If a security incident occurs or is suspected, employees must report it to the center immediately.
          The company shares phishing cases via internal bulletin boards and provides guidance on how to use the center.

        Safe PC Use

        • Security programs such as antivirus are installed on the user's computer to protect against ransomware and other malicious code attacks.

        • The company blocks access to malicious IPs and URLs and restricts access to non-work-related websites such as P2P lending sites.

        • In addition, media control programs are used to prohibit the unauthorized copying of files stored on PCs to USB storage devices, and data loss prevention solutions are employed to prevent the unauthorized disclosure of sensitive data such as trade secrets.

        Integrated Log Management

        • Logs generated by security solutions such as servers, network equipment, application logs, and firewalls are managed cohesively in order to prevent log loss and tampering and securely store logs.

        • Using the security information and event management (SIEM) solution, an alert is immediately triggered if an action exceeds the threshold value, followed by an immediate action. The SIEM rule and threshold value are periodically adjusted.

        Increasing Awareness of Information Security Among Employees

        Increasing Awareness of Information Security Among Employees
        Type Target Cycle
        Announcement via email/internal bulletin All employees Occasional
        Pop-ups in groupware platform All employees Daily
        Offline manager training Information security
        managers at each department        		 Yearly
        Online training for all employees All employees Yearly

        • All employees are subject to online information security training which is conducted each year, and security managers at each department receive offline training annually. Internal bulletin and groupware pop-ups are used to disseminate the updated information security policy and security incident prevention regulations.

        • We promote awareness-raising activities to prevent security incidents, such as simulating email attacks every six months to train on how to respond to suspicious emails.

        • In order to increase awareness of information security, new hires and prospective retirees are required to sign a pledge to protect sensitive data.

        Security Review

        • Risks are minimized through security review procedures when introducing and changing information systems.

        • Even when network control policies are modified, such as when the web server is opened to the public,
          security is reviewed to prevent unauthorized access.