Samsung SDS has established and operates an information security policy to protect all of the company's information assets, targeting all employees, as well as employees from subsidiaries and partner companies, along with any external visitors to the company. In the information security regulations, Samsung SDS defines basic principles and provides information security guidelines that outline detailed execution criteria based on the principles. Samsung SDS manages the establishment and operation of the information security management system based on the policies established with separate execution guides in place to ensure compliance with regulations and guidelines. The information security policy undergoes a review and/or revision process at least once a year to ensure alignment with relevant laws, internal regulations, and to accommodate changes in regulatory requirements, business characteristics, and the operational environment that may impact management. Additionally, overseas subsidiaries have separate information security policies, referencing the policies of the headquarters and incorporating relevant local laws and regulations of their countries.
Digital Responsibility
Data Security Policy
Samsung SDS has established Data Protection Policy to reduce internal and external security risks, protect all information assets, and provide secure services.
- A. Security Policy Management
- B. Information Security Organization
Samsung SDS designates a Chief Information Security Officer (CISO) and maintains a dedicated information security organization to ensure the proper establishment and operation of its information security policy. Samsung SDS has established its information security organization by designating security departments and personal information protection departments within business units, and information security managers for each operations, all within the information security management system. The Chief Information Security Officer and the heads of the information security organizations regularly convenes a security advisory committee to share key information security matters and make decisions regarding the company's information security.
- C. Protection of Information Assets
Samsung SDS identifies and classifies all internal information assets according to defined criteria and applies tailored management policies based on their characteristics, ensuring the secure protection of critical information, including personal data, and internal information assets. All information assets of their importance are identified and classified based on confidentiality, availability, and integrity criteria. According to the security classifications applied, assets are protected from all internal and external security threats, such as unauthorized access, disclosure, alteration, from the point of creation to disposal, in accordance with the protection policies established for each classification.
- D. Facility Security Management
Samsung SDS data protection policy includes physical security policies and management procedures for all company premises, including office buildings, data centers including IDCs, to ensure a secure working environment and protect all facilities and information assets within the premises. These policies and procedures are consistently implemented across all company-operated locations. At each business location, physical security measures such as fences, walls, barriers, security personnel, gates, and more are implemented to create a secure physical security perimeter. Access is restricted in accordance with security classifications and tailored entry and exit procedures based on the characteristics of each operation, allowing only authorized personnel and approved visitors to access designated areas. This approach helps monitor and prevent information asset leaks and unauthorized access.
- E. Information System Security Management
Samsung SDS's security management system, including servers, networks, databases, application systems, and cloud services and others, protects the company's information assets and secures the services. Regular audits are conducted to ensure compliance and effectiveness. Samsung SDS has established standards for access rights, user accounts, encryption of sensitive information, remote access, and other security aspects for all information systems. Systems are managed in a manner that considers the security vulnerabilities and operational characteristics of each system, ensuring they are used securely within approved boundaries. In additions, Samsung SDS conducts regular security assessments, including penetration testing and security reviews, to protect services and internal data, and to prepare for new vulnerabilities.
- F. Security Incident Response
Samsung SDS' incident response and post-incident management system prevents potential security incidents and minimize damage in the event of an incident occurring. Samsung SDS employs security monitoring to proactively prevent external attacks such as hacking, DDoS attacks, and cyber intrusions. This includes real-time detection and response capabilities. Detailed management systems are in place to address security threats considering their scope and impact. In the event of an incident, measures are taken to minimize damage, swiftly identify the root causes, and prevent further spread. All incidents are thoroughly analyzed and the lessons learned are incorporated into the management system to apply preventive measures against future occurrences.
- G. Business Continuity Management
Samsung SDS ensures business continuity by applying the business continuity plans for each services. It allows core business operations to continue even in the face of disruptions such as disasters and emergencies. Samsung SDS's business continuity plans tailored for each service is prepared for disasters and emergencies. Samsung SDS operates disaster recovery centers and conducts regular drills to ensure the effectiveness of the disaster recovery plans. When necessary, Samsung SDS analyzes the results to improve and maintain the disaster recovery plans.
- H. Legal Compliance
Samsung SDS's information security policy complies with relevant laws and regulations related to information security, thereby managing to prevent losses resulting from legal violations. Samsung Security Center collaborates with Legal Service Team and Privacy Management Group to establish relevant policies and operate to ensure that all personnel and systems within the scope of the security management system are managed in compliance with information security laws and regulations, and this includes regular audits. Additionally, legal amendments are periodically reviewed ensuring policies are updated accordingly.
- I. Security Education
Samsung SDS requires all employees, as well as contractors and collaborators, to sign agreements that include clauses obligating them to comply with the company's information security policy and relevant laws. They also conduct regular information security training to enhance the awareness of security among members and manage this process effectively. Samsung SDS imposes responsibility for information asset protection and related matters by operating and requiring information security pledges from all personnel within the company's management system, ensuring compliance with company policies, including the information security policy. Additionally, regular information security training and ongoing security awareness campaigns are conducted to enhance the understanding of information security among employees, raise awareness of its importance, and manage security levels based on specific job roles, particular times, and hierarchical positions. Security training is also provided to prevent security incidents.
- J. Employee Security Compliance
Samsung SDS clearly assigns responsibilities and obligations to all employees with additional internal policies that define the information security-related obligations and responsibilities that must be adhered to in all processes and business operations within the company. To ensure the established information security management system operates appropriately and securely, Samsung SDS clearly outlines specific requirements that employees must adhere to for each sub-item. The obligations and responsibilities of all employees are managed to fulfill their roles effectively. Disciplinary or sanction actions can be taken for employees who violate security policies and/or procedures depending on the severity of the violation.
Executive Body Responsible for Data Security
- Chief Information Security Officer (CISO) is designated to oversee information security management.
- Appointing accountable individuals and security departments at both the corporate and business unit levels to ensure systematic operation and management.
- Regular Information Security Committee is held to collaborating on critical security matters and reaching pertinent decisions
-
CISO - Samsung Security Center
-
Data security department - Information Security Group
- Information security department for Division1
- Information security department for Division2
- Information security department for Division3
-
Data security department - Information Security Group
- CPO - Privacy Management Group (Information Security Committee)
Data Breach and Incident Response Plan
- Prevention Activities Regular/Irregular security inspection and simulation hacking Notice major security vulnerable points and actions to be taken.
- Risk Detection Detecting incidents through security monitoring system and risks through security solution
- Incident Response Assessing importance based on impact criteria and taking immediate action/response.
- Reporting Reporting on the results of actions taken and investigating the causes of incidents.
- Follow-up Actions Establishing measures to prevent recurrence Conducting compliance checks on implementation.
- Security Control Center Hacker Affected Site
- Website hacking control DDoS control APT control Malicious code control
- Cloud control Firewall control
- Cloud - Websites Domestic/Overseas IDC/On-Site - Websites Within IDC On-Site - Customers' PCs
- Security incident investigation Hacker Affected Site
- Root cause analysis Measures to prevent recurrence Preventing the expansion of the impact
- Post-incident management Implementation status check/audit Revision of related Security Policies Relevant security education/training
Certification and Audit
Samsung SDS annually conducts management system evaluations through various information security certification assessments and audit activities conducted by domestic and international organizations.
| Category | Title | Detail | Institutions | Authentication/Audit Scope | |
|---|---|---|---|---|---|
| Certification | ISO27001 | International Standard for Information Security Management Systems Certification | BSI | International | Cloud services and data centers that include entire Samsung HQ security management systems |
| ISO28000 | Logistics Supply Chain Security Certification | KR | International | International Freight Forwarding and Warehouse Management Industry | |
| ISO27017 | Cloud Security Certification for Cloud Service Providers | BSI | International | Cloud Services in general | |
| ISO27018 | Cloud Personal Information Protection Certification for Cloud Service Providers | BSI | International | Cloud Services in general | |
| ISO27799 | Medical Personal Information Protection Certification | BSI | International | Medical cloud Services | |
| CSA STAR | Security, Trust, Assurance and Risk | BSI | International | Cloud Services in general | |
| CSAP | Cloud Security Assurance Program | KISA | Domestic | Public Cloud Service | |
| ISMS/ISMS-P | Information Security Management Systems and Information Security Management System for Personal Information Protection | KISA | Domestic | Entire Samsung HQ security management systems and specific application system (12) | |
| Audit | CSP Safety Assessment | Financial Cloud IT Asset Management and Data center safety Assessment | KISA | Domestic | Financial cloud Services |
| Integrated Information and Communications Facility | Evaluation of Protection Measures for Integrated Information and Communication Facilities | KISA | Domestic | Domestic Data Center | |
| Critical Information and Communications Infrastructure | Evaluation of Implementation of Protection Measures for Critical Information and Communication Infrastructure | MSIT | Domestic | Internet Telephony Service and Integrated Information Communication Service | |
| Internal Audit Certification | Internal Accounting Operations Audit including IT Audit Certification | PWC | Domestic | Entire Samsung HQ security management systems and IT systems | |
| Information Security Disclosure | Disclosure of the operation status of information protection | MSIT | Domestic | Samsung HQ information security management systems | |
| ESG | Sustainability Management Strategy | DJSI, MSCI | International | Entire Samsung HQ security management systems and IT systems | |
| Internal Audit |
SSI Verification | Samsung Security Index evaluation | SDS | Domestic | Entire Samsung HQ information security management systems, IT systems and infrastructure. |
Data Security Programs for Suppliers and Business Partners
Security programs including inspections are conducted to verify their compliance
- Security review and security level assessment
- Define security requirements and reflecting the requirements in contracts
- Request for a Security Pledge
- Secure a safe working environment equivalent to that for our employees
- Conduct data security training
- Install security management solutions
- Implement security processes including access control and entry control
- Apply physical security process
- Check security compliance and security management status
- Perform simulated malicious email training and information security campaigns
- Verify compliance with security requirements
- Request a contract termination confirmation
- Confirm the destruction of critical information assets
- Dispose of and return used information