• Home
  • Fundamentals
  • Information Security

Information Security

For risk management and privacy protection against cyber terrorism or data leakage,
Hyosung Advanced Materials manages data centered on the information security
organization in accordance with information security regulations and operating standards thereof.
Information Security

Information Security Management System

Information Security Management System

The Information Security(IS) organization at Hyosung Advanced Materials is supervised under the guidance of the Chief Information Security Officer(CISO) who has more than five years of experience in information security including privacy. The security officers, HR Team, General Affairs Team, and Legal Compliance Team work together to increase awareness of the Security Policy throughout the company. In addition, we carry out support activities such as monitoring compliance of information protection & personal information protection regulations. Our holding company's security team, which is comprised of specialized security personnel, is in charge of periodic monitoring, risk management and corrective action requests. The security officer performs security activities and management monitoring, and reports the results to the Security Team. The Security Team evaluates, corrects and manages this.
Information Security Management System
    • Security Officer
    • Operation
    • HR
    • Compliance Support
    • Security team (in Holding Company) Security incident handling, progress report, incident list and handling record management, dissemination and education
    • DT promotion team (in Holding Company) Periodic monitoring, risk management, and corrective action requests
    • Security incident inspection, response
    • Security incident command, management
  • CISO
  • Security incident inspection, response, command, management

Information Security Policy

Hyosung Advanced Materials established the Information Security Policy that prescribes the roles and responsibilities of each organization to minimize the risk of information security. The policy has been posted at the company bulletin boards after approval from the top management. We have a systematic process of planning, approval, implementation, and monitoring to effectively carry out risk mitigation activities prescribed in the Information Security Policy. We monitor the status of applicable laws and the changes in requirements at all times to reflect them in the Information Security Policy and in-house regulations. In addition, we monitor the status of amendments to laws to assure that all employee and customer data are safeguarded through our Privacy Policy.
swipe
Details of information security by category
Details of information security by category
  • Security Management
    • Personnel Security
      •Employees security •External personnel security •External personnel security
    • Physical Security
      •Physical security plans and control
    • Business Continuity
      •Establish and operate business continuity plans
    • Security Accident Response
      •Security accident response system
    • Personal Data Protection
      •Personal data protection principles •Personal data processing standards
  • Security Risk
    • Information Asset Management
      •Roles and responsibilities per each information asset •Management of internal information
    • Compliance Inspection
      •Regular inspection on security logs •Data protection compliance inspection
    • IT Infra Security Management
      •Authentication and access management •Internet and network security management •Server security management •Application security management •DB security management •Security equipment and security solution •PC security management •Mobile security management
  • Security Discipline
    Reward and Penalty Standards
    •Security discipline procedure and standards •Level of security discipline

KEY Performance Target

Information security pledge signed by all employees every year Hyosung Advanced Materials operates a security system that raises awareness of data protection and
prevents illegal use and leakage of data to protect valuable technology, personal, and asset data.

Technical Security

Cybersecurity

Cyberattacks such as the unauthorized reading of emails, distribution of hacked e-mails, establishment of infected websites, and spread of malicious codes are detected in real-time through security controls, and any incident is immediately shared with related departments to minimize damage. Hyosung Advanced Materials protects internal networks with firewalls and installs security programs, such as antivirus, to protect data from ransomware and other malicious attacks. Especially, logs generated from security solutions such as servers, network equipment, application program logs, and firewalls are managed cohesively in order to prevent log loss and tampering and securely store logs. Using the security information and event management(SIEM) solution, an alert is immediately triggered if an action exceeds the threshold value, followed by an immediate action. The SIEM rule and threshold value are periodically adjusted. Dedicated managers by stage review these security logs and upload their opinion to protect internal information and communication networks. The company blocks access to malicious IPs and URLs and protects in-house data from cyber threats by restricting access to non-work-related websites such as P2P lending sites.
swipe

Activities to Prevent Cyber Threats

Activities to Prevent Cyber Threats
Area Details Management Cycle
Security logs management CISO finally checks the details of external mails received, offsite download, and use of external storage media (USB, etc.) after confirmation of team leader Weekly
Information leakage solution Perform a regular inspection of mail/media sent outside the company that can leak information
(E.g. Google Cloud) 		Daily
IT vulnerability inspection Inspect key websites and infrastructure equipment for information security vulnerabilities Yearly
Business site vulnerability inspection Visit each business site to check the status of information security Applicably
Security control Personnel from third-party security company is stationed to monitor external attacks such as hacking Frequently
Spear-phishing detection Set keywords related to spear-phishing and monitor mail history Frequently

Smart Data Leak Prevention System

Hyosung Advanced Materials' access control system prevents the leakage of our globally competitive technology and trade secrets by the invasion of external users. We block any unauthorized access by applying differentiation access control policies for the end user and system administrator, allowing only authorized persons to access the intranet. All work histories of internal network users are logged, and accounts are automatically locked when the number of login attempts exceeds a certain count. Hyosung Advanced Materials uses a virtual private network(VPN) to encrypt and protect the communication section when accessing the internal business system from outside the organization, such as when working from home, traveling, or during a business trip. We minimize the risk of cybersecurity incidents resulting from account data leakage by applying two-factor authentication with a unique one-time password(OTP). IP addresses other than the administrator ID are restricted to access the system server, and OTP verification is required in the server. According to the "Need-To-Know" principle, only those who have been authorized to access the work system via VPN from outside the organization when working from home due to COVID-19 and business trips. A separate approval process takes place for additional access authority. We record the commands performed on the server to prevent data leakage and swiftly identify the exact account of an incident. In addition, media control programs are used to prohibit the unauthorized copying of files stored on PCs to USB storage devices, and data loss prevention solutions are employed to prevent the unauthorized disclosure of sensitive data such as trade secrets. All files stored in PCs are restricted from bringing them outside the company without prior approval. History of file transfers and PC usage, including emails, are saved in the server even after they have been approved. This serves as evidence when an employee commits abnormal behaviors. We also control document exports and saving documents on PCs and monitor document distribution to strengthen document security and reduce the possibility of data leakage and loss.

Physical Security System

Places that require restricting unauthorized access by outsiders, such as offices and business sites, are designated as protected areas, and access records are managed by installing an ID card or fingerprint-based access system at the entrance. Areas that require particularly stringent access control (e.g. computer rooms) are designated as controlled areas, with security guards deployed or surveillance cameras installed. It is prohibited to carry out corporate assets or carry in a personal computer or storage media without prior authorization.

Centralized Document Management System

Modifying and storing security data are only allowed in our centralized document management system (enterprise content management; ECM), and only approved documents can be exported. Through ECM, we have established a consistent document security policy across all business sites, ensuring visibility throughout the document distribution process. The entire life cycle of a document is managed through the system, and all importing and sharing activities are centrally controlled and monitored by the system. Even when working from home, we provide an environment in which employees can access the centralized document management system and utilize work-related documents with ease, thereby enhancing the efficiency of telecommuting. Only personnel authorized by the team leader according the IT service request procedure are allowed to access ECM.
Enterprise Content Management
  • Enterprise Content Management
    • Centralization Assetizing Document
    • Systemization Integrating and Systemizing e-Document
    • Collaboration Sharing and Utilization
    • One Source Multi Use & Share Facilitating cooperation through document authenticity management
    • Centralization of Knowledge Asset Assetizing document & contents
    • Transfer Core-competence & Competitiveness Accumulating core capacity & competitiveness
    • Security Enhancement & Paradigm Shift Enhancing security and transition methods
  • Saving control Export control
    • PC saving Control Important documents are not allowed to be saved in individual’s PC All documents are managed in the ECM system No possibility of document loss
    • Export Control Only approved documents are exportable Two-layered control of data-exporting channels (i.e. USB, email, printing, etc.)
    • Document Class Classification Defining class depending on importance of a document Defining search and access rights by document class
    • Access Control by Role Defining the scope of work by user role Preventing access right to documents uncontrolled by system operator
    • Log Analysis Log history management over all document-related actions Periodic sampling focusing on major departments/users and users showing abnormal behavior pattern, investigation/countermeasures of abnormal behavior

Compliance with Document Retention Period

Hyosung Advanced Materials stipulates the retention period of documents in accordance with its document management regulations and standards. We guide employees to discard expired documents and prevent data leakage during disposal.

Internalization of Security and Raising Security Awareness

Every year, Hyosung Advanced Materials conducts information security training for employees both online and offline, including awareness training of information breaches, personal data protection, customer data protection, and sharing of data breach cases, to enhance security awareness. Online training is provided to all employees once a year, and additional offline training is conducted once a year for the designated information security staffs at all teams. In addition, we inform employees of relevant regulatory updates and notifications through e-mail and company bulletin boards. We also improve accessibility to related education sources by creating pop-up windows announcing information security notice so that employees read the notice at least once a day when they log on to the company's IT platform.
Security training subjects and cycle
Security training subjects and cycle
All employees and information security managers
  • Announcement via email/internal bulletin
  • Pop-ups in Groupware platform
  • Pop-ups in Groupware platform
  • Online training for all employees

Protection of Stakeholder Data

  • Privacy & Information
    Processing Policy

    In the process of collecting, using, and providing the data of employees, customers, and other stakeholders, Hyosung Advanced Materials goes to great lengths to safeguard the data so that data providers can enjoy our services without any concern. By allowing everyone to see the consent to the collection and use of personal data, we establish a business ecosystem that benefits both companies and data subjects.

    Easy-to-read Privacy & Information Processing Policy Move Page

  • Personal Data Protection of Stakeholders

    When collecting personal data of employees, customers, and partners, the data are collected only upon obtaining their consent, which includes items to be collected, the retention period, and the provision of the data to a third party. In addition, to store only necessary data, unused data are destroyed after a certain period of time. We keep the access logs of personal data to regularly check whether data whose retention period has expired are completely destroyed. When destroying personal data, we analyze if they have any chance of affecting other systems. We notify the data provider before destroying data to build a trustworthy relationship. In particular, we monitor any amendments made to applicable laws to reflect the changes in our policies, and we conduct personal data protection training once a year for personnel in charge of personal data handling.

  • Regular System Checkup

    All systems that contain personal data, such as websites and personal databases, conduct vulnerability tests regularly, and we conduct inspections and training of all departments, employees, and consignors who handle personal data. We continue to strengthen related processes so that employees can recognize the importance of personal data protection and utilize related policies and regulations in practice. Since 2021, we have voluntarily taken out liability insurance to fulfill our responsibility for damages in the event of personal data leakage.

  • Transparent Information Disclosure

    Hyosung Advanced Materials guarantees shareholders' rights to know and take part in disclosures to promote voluntary investment in information security. The status of information security such as investment, workforce, certification, and activities are disclosed for the safe use of the internet by various stakeholders.

    Information security disclosure status Move Page

Effective Information Security Risk Management

Information and Security Risk

Hyosung Advanced Materials has established and applied a systematic information security management system to protect all business-related trade secrets, core technologies, R&D information, customer information, and personal information. In order to respond to external infringements, we are implementing security management at all times or on a regular basis to the office area and process facility area through administrative/physical control. In addition, in order to prepare for external security attacks, including hacking, in real time, we regularly inspect security vulnerabilities, conduct mock hacking, and implement related trainings for employees to continuously improve our security level and response capabilities. Hyosung Advanced Materials provides information security education to employees at least once a year to raise the awareness among employees about security.
swipe
Information and Security Risk
Security risk management method
Control
  • Administrative Control

    Security risk control through policy controls, documented controls, formalized procedures, standards and guidelines (i.e. risk assessment, security management regulations, privacy protection, security incident response guidelines, etc.)

  • Physical Control

    Monitoring and control of workplaces or computer devices through controlled door system, locks, surveillance cameras, security guards, network separation, and etc.

  • Access Control

    Access control using software and specific data, including passwords, firewalls, intrusion detection systems, access control and data encryption for monitoring and control of information systems

  • Environmental Control

    Establishment of measures to prepare for and recover from environmental hazards (natural disasters, fires, power outages)

Security
  • Network Security

    Daily/weekly/monthly monitoring of network traffic using firewalls, filters, VPNs, IDS among means to detect malicious behavior such as denial of service attacks (DDoS attacks), port scans, computer cracks, hacking, etc.

  • Network Security

    Daily/weekly/monthly monitoring of network traffic using firewalls, filters, VPNs, IDS among means to detect malicious behavior such as denial of service attacks (DDoS attacks), port scans, computer cracks, hacking, etc.

  • Data Security

    Protection of data information through monthly update of rights to access, checking of information export and import through the document security system

Information Security Vulnerabilities Check

In the case of introducing or changing an information system, Hyosung Advanced Materials reviews the system beforehand to minimize any security risk. Even when network control policies are modified, such as when the web server is opened to the public, security reviews are carried out to prevent unauthorized access. Particularly, annual security vulnerability inspections on information systems such as servers, network equipment, and application programs take place, and any found are patched.

Security Accident Response Process

According to the operating standard for security incident response, Hyosung Advanced Materials classifies the incidents into eight: (1) Leakage, alteration, or damage of confidential or personal data; (2) Leakage, stealing, and destruction of information asset; (3) Service stops or delays due to malicious code; (4) Attacks against or intrusion into the company's information system by an unauthorized individual; (5) Misuse of internal resources by an insider or authorized outsider; (6) Attacks that make the information system reject the service(e.g. DDoS attack); (7) Unauthorized intrusion of a physically restricted area or internal computer network; and (8) other infringement incidents. We maintain a professional organization that can provide immediate support in case any security incident take place. The Computer Emergency Response Team(CERT) quickly takes action and manages the emergency communications network. In the event of a security incident, the case is handled in accordance with the Security Incident Response Standards which also include five-step response procedures.
swipe
Security Accident Response Process
  • Step 1
    • Recognition of accidents through constant monitoring The department in charge of information security monitors the occurrence of security accidents at all times in accordance with the security accident response
  • Step 2
    • Rapid assessment and response planning Assess the type and severity of security accidents Severity is divided into 4 categories and appropriate response organization and planning is established
      • Attention
      • Warning
      • Alert
      • Serious
  • Step 3
    • Active accident response activities Response of the person in charge of server, network, PC, application as well as other relevant employees’ support, and measurements according to severity
      • Business Continuity Plan Management
      • Backup Measure
      • System Failure Measure
      • Emergency Measure
  • Step 4
    • Security incidents recovery and transparent reporting Analyze security accidents details, response performance and results, and preserve the evidence. Then report all the details of the accident directly to the CISO.
  • Step 5
    • Security incidents response assessment & improvement
      • Conduct security accidents response assessment involving the entire information security organization
      • Vulnerability checks to prevent recurrence
      • Measures to prevent recurrence are distributed to all employees as part of training. Violators are penalized during regular performance evaluation according to the security disciplinary operating standards

Information Security Risk Assessment and Scenario-based Training

Hyosung Advanced Materials established a risk assessment plan that corresponds to the Business Continuity Operating Standards so as to identify and list information assets and assign an importance rating to each asset. Since 2021, we have been measuring risks that may arise from each asset to establish a strategy to deal with those risks, and conducting regular re-evaluations and simulation exercises to assess information security risks. Risk assessment is conducted on a regular basis according to the likelihood, impact, and vulnerability level of information security status. We prevent security incidents that may occur in the most vulnerable areas, as well as conduct IT security exercises and distribute the response guideline. To prevent security incidents such as hacking, we collect information on domestic and global intrusions through an external security company to prevent similar incidents and execute security control 24/7.

Information Security Consultation and Treatment

Employees are encouraged to report any internal data leaks and pre/post-security risks, as well as any inconvenience or questions while using internal systems to the IT Inquiry Center, the Security Team, or the dedicated Information Security TF. As cyberattacks are diversified, such as hacking, virus, personal data infringement, and illegal spam, Hyosung Advanced Materials operates an integrated counseling system called the "Whistleblowing Center" to minimize inconvenience caused to various stakeholders, including customers, partners, and employees.