Digital Responsibility

Information Security Policy

Samsung SDS has established and operates an information security management system standard complying with legal obligations to protect all the information assets by reducing internal and external security risk factors.

Samsung SDS HQ presents standards to overseas corporations and subsidiaries so that they can establish and operate information security policies considering the business environment of each country and company within the basic policy of Samsung SDS' security policy.

• A. Security Policy Management

  Samsung SDS has established and operated security regulations and guidelines that all employees must comply with to reduce security risks and maintain the consistency of security controls throughout the organization. Samsung SDS defines basic principles in its security regulations and operates an information security guideline that present detailed implementation standards according to the principles defined in regulation. The policy applies to all personnel with access to in-house information assets and systems, including physical assets. In order to reflect changes in legal requirements, business characteristics, and work environment, and to respond to new threats, a revision review is conducted at least twice a year. Overseas corporation and subsidiaries have separate security policy considering local laws and regulation of their countries and business environment within the basic regulation and guideline of SDS’s security policy.

• B. Information Security Organization

  Samsung SDS designates a CISO(Chief Information Security Officer) and maintains a dedicated information security organization to ensure the proper establishment and operation of its information security policy. The security organization consists of security departments by division centering on the corporate information security department. Under the supervision of the CISO, the information security committee regularly operates including security department executives and department heads. Samsung SDS HQ dispatches security expatriate to overseas corporations, delegates responsibility for security management. Head office hold a regular meeting once a month with all expatriates of each overseas corporations. Subsidiaries are also required to select security managers for each company, and a system is being established so that the headquarters and subsidiary managers can communicate actively

• C. Protection of Information Assets

  Samsung SDS identifies and classifies all internal information assets according to defined criteria and applies tailored management policies based on their characteristics, ensuring the secure protection of critical information, including personal data, and internal information assets. Samsung SDS identifies all in-house information assets, classifies them according to defined criteria and applies protect policies tailored to their characteristics. It implement access control and protection of all the information assets including personal /sensitive data.

• D. Facility Security Management

  Samsung SDS data protection policy includes physical security policies and management procedures for all company premises, including office buildings, data centers including IDCs, to ensure a secure working environment and protect all facilities and information assets within the premises. These policies and procedures are consistently implemented across all company-operated locations. At each business location, physical security measures such as fences, walls, barriers, security personnel, gates, and more are implemented to create a secure physical security perimeter. Access is restricted in accordance with security classifications and tailored entry and exit procedures based on the characteristics of each operation, allowing only authorized personnel and approved visitors to access designated areas. This approach helps monitor and prevent information asset leaks and unauthorized access.

• E. Information System Security Management

  Samsung SDS's security management system, including servers, networks, databases, application systems, and cloud services and others, protects the company's information assets and secures the services. Regular audits are conducted to ensure compliance and effectiveness. Samsung SDS has established standards for access rights, user accounts, encryption of sensitive information, remote access, and other security aspects for all information systems. Systems are managed in a manner that considers the security vulnerabilities and operational characteristics of each system, ensuring they are used securely within approved boundaries. In additions, Samsung SDS conducts regular security assessments, including penetration testing and security reviews, to protect services and internal data, and to prepare for new vulnerabilities.

• F. Security Incident Response

  Samsung SDS ensures business continuity by establishing and operating a business continuity plan for each service so that core systems and services can be performed without interruption due to disasters and other effects Samsung SDS employs security monitoring to proactively prevent external attacks such as hacking, DDoS attacks, and cyber intrusions. This includes real-time detection and response capabilities. Detailed management systems are in place to address security threats considering their scope and impact. In the event of an incident, measures are taken to minimize damage, swiftly identify the root causes, and prevent further spread. All incidents are thoroughly analyzed and the lessons learned are incorporated into the management system to apply preventive measures against future occurrences.

• G. Business Continuity Management

  Samsung SDS ensures business continuity by applying the business continuity plans for each services. It allows core business operations to continue even in the face of disruptions such as disasters and emergencies. Samsung SDS's business continuity plans tailored for each service is prepared for disasters and emergencies. Samsung SDS operates disaster recovery centers and conducts regular drills to ensure the effectiveness of the disaster recovery plans. When necessary, Samsung SDS analyzes the results to improve and maintain the disaster recovery plans.

• H. Legal Compliance

  Samsung SDS's information security policy complies with relevant laws and regulations related to information security, thereby managing to prevent losses resulting from legal violations. Samsung Security Center collaborates with Legal Service Team and Privacy Management Group to establish relevant policies and operate to ensure that all personnel and systems within the scope of the security management system are managed in compliance with information security laws and regulations, and this includes regular audits. Additionally, legal amendments are periodically reviewed ensuring policies are updated accordingly.

• I. Security Education

  Samsung SDS requires all employees, as well as contractors and collaborators, to sign agreements that include clauses obligating them to comply with the company's information security policy and relevant laws. They also conduct regular information security training to enhance the awareness of security among members and manage this process effectively. Samsung SDS imposes responsibility for information asset protection and related matters by operating and requiring information security pledges from all personnel within the company's management system, ensuring compliance with company policies, including the information security policy. Additionally, regular information security training and ongoing security awareness campaigns are conducted to enhance the understanding of information security among employees, raise awareness of its importance, and manage security levels based on specific job roles, particular times, and hierarchical positions. Security training is also provided to prevent security incidents.

• J. Employee Security Compliance

  Samsung SDS defines and operates information security policy standards that must be observed in all business processes within the company. This regulation give each employees clear responsibilities and obligations. To ensure the established information security management system operates appropriately and securely, Samsung SDS clearly outlines specific requirements that employees must adhere to for each sub-item. The obligations and responsibilities of all employees are managed to fulfill their roles effectively. Disciplinary or sanction actions can be taken for employees who violate security policies and/or procedures depending on the severity of the violation.

• K. Discipline

  Samsung SDS defines and operates disciplinary standards for violations of regulations. Considering the importance of information security policies and the impact of violations, disciplinary standards for each situation are defined and announced to all employees.

Data breach/incident

Samsung SDS has complete charge department that monitors risk factors that threaten IT system
security 24x365 and responds to and manages security incidents such as System hacking, Infringement, and data leakage

• Prevention Activities
  1. Regular/Irregular security inspection and simulation hacking
  2. Notice major security vulnerable points and actions to be taken.
• Risk Detection
  1. Detecting incidents through security monitoring system and risks through security solution
• Incident Response
  1. Assessing importance based on impact criteria and taking immediate action/response.
• Reporting
  1. Reporting on the results of actions taken and investigating the causes of incidents.
• Follow-up Actions
  1. Establishing measures to prevent recurrence
  2. Conducting compliance checks on implementation.

• "Website hacking control","DDoS control","APT control","Malicious code control" are connected to the Security Control Center
• Hacker > DDoS attacks > website hacking, Website hacking control, DDoS control
• Affected Site > Infection with malicious code > Malicious code control > Firewall control > On-Site : Customers' PCs

• Website hacking control
  • Cloud control > Cloud : websites
  • Domestic/Overseas IDC/On-Site : Websites Within IDC
• DDoS control
• APT control > data Leakage > Hacker
• Malicious code control

• Cloud : websites
• Domestic/Overseas IDC/On-Site : Websites Within IDC
• On-Site : Customers' PCs > APT control > Data Leakage > Hacker

• Security incident investigation
• Forensics
• Preventing the spread of damage

• Root cause analysis
• Measures to prevent recurrence
• Preventing the expansion of the impact

• Post-incident management
• Implementation status check/audit
• Revision of related Security Policies
• Relevant security education/training

Information security organizational culture

samsung sds is creating and spreading a culture to improve the maturity of internal information security
awareness, and providing various information security activities to raise employees' awareness of security.

• Informaion
  security training

  we offers training on information security every year to internalize the security capabilities of all employees. There are specific education program to understand company's information security regulations for new employees and customized education for each specific job type, such as developers or systems. Also we are training security experts through specialized training such as system hacking and risk detection.

• Informaion
  security campaign

  We periodically send information security letters on security threats, important vulnerabilities, and security compliance matters. Using digital signage in the workplace, major security issues and security compliance matters are spread to employees and visitors.

• Malicious email
  simulation training

  We are developing scenarios for high-risk vulnerabilities and producing and sending malicious mail content. If an infection is confirmed, we are trying to reduce the infection risk rate through follow-up management on infection prevention.

• Information
  security portal

  We operate a dedicated information security portal to promote communication between employees and information security departments. We provide a channel for reporting and inform cyber security incident

• In-house
  hacking competition

  We are providing challenges to improve understanding of major security items to be considered when developing and operating a system by conducting an in-house online hacking problem solving contest.