Digital Responsibility

Information Security Policy

Samsung SDS has established and operated the standard for information security management systems complying with legal obligations to protect all the information assets by reducing internal and external security risk factors.

The information security policy consists of regulations, guidelines, and guides and applies to all personnel who perform tasks related to employees and SDS information assets.

SDSK presents the standards to overseas corporations and subsidiaries so that they can establish and operate information security policies considering the business environment of each country and company within the basic policy of Samsung SDS' security policy.

• A. Security Policy Management

  Samsung SDS has established and operated security regulations and guidelines that all employees, partner companies, and any personnel with access to the company's information assets must comply with to reduce security risks and maintain the consistency of security controls throughout the organization. Samsung SDS defines basic principles in its security regulations and operates an information security guideline that presents detailed implementation standards according to the principles defined in the regulation. The policy applies to all personnel with access to in-house information assets and systems, including physical assets. In order to reflect changes in legal requirements, business characteristics, and work environment, and to respond to new threats, a revision review is conducted at least twice a year. Overseas corporations and subsidiaries have separate security policies considering local laws and regulations of their countries and business environments within the basic regulation and guideline of SDS’s security policy.

• B. Information Security Organization

  Samsung SDS designates a CISO(Chief Information Security Officer) and maintains a dedicated information security organization to ensure the proper establishment and operation of its information security policy. The security organization consists of security departments by division centering on the corporate information security department. Under the supervision of the CISO, the Information Security Management Council regularly operates including security department executives and department heads. Samsung SDS HQ dispatches security expatriates to overseas corporations and subsidiaries, delegates responsibility for security management. The head office holds a regular meeting once a month with all expatriates of each overseas corporations or subsidiary. Subsidiaries are also required to select security managers for each company, and a system is being established so that the headquarters and subsidiary managers can communicate actively.

• C. Protection of Information Assets

  Samsung SDS identifies and classifies all internal information assets according to defined criteria and applies tailored management policies based on their characteristics, ensuring the secure protection of critical information, including personal data, and internal information assets. Samsung SDS identifies all in-house information assets, classifies them according to defined criteria and applies protective policies tailored to their characteristics. It implements access control and protection of all the information assets including personal/sensitive data.

• D. Facility Security Management

  Samsung SDS's data protection policy includes physical security policies and management procedures for all company premises, including office buildings, data centers including IDCs, to ensure a secure working environment and protect all facilities and information assets within the premises. These policies and procedures are consistently implemented across all company-operated locations. At each business location, physical security measures such as fences, walls, barriers, security personnel, gates, and more are implemented to create a secure physical security perimeter. Access is restricted in accordance with security classifications and tailored entry and exit procedures based on the characteristics of each operation, allowing only authorized personnel and approved visitors to access designated areas. This approach helps monitor and prevent information asset leaks and unauthorized access.

• E. Information System Security Management

  Samsung SDS's security management system, including servers, networks, databases, application systems, cloud services and others, protects the company's information assets and secures the services. Regular audits are conducted to ensure compliance and effectiveness. Samsung SDS has established standards for access rights, user accounts, encryption of sensitive information, remote access, and other security aspects for all information systems. Systems are managed in a manner that considers the security vulnerabilities and operational characteristics of each system, ensuring they are used securely within approved boundaries. In addition, Samsung SDS conducts regular security assessments, including penetration testing and security reviews, to protect services and internal data, and to prepare for new vulnerabilities.

• F. Security Incident Response

  Samsung SDS ensures business continuity by establishing and operating a business continuity plan for each service so that core systems and services can be performed without interruption due to disasters and other effects. Samsung SDS employs security monitoring to proactively prevent external attacks such as hacking, DDoS attacks, and cyber intrusions. This includes real-time detection and response capabilities. Detailed management systems are in place to address security threats considering their scope and impact. In the event of an incident, measures are taken to minimize damage, swiftly identify the root causes, and prevent further spread. All incidents are thoroughly analyzed and the lessons learned are incorporated into the management system to apply preventive measures against future occurrences.

• G. Business Continuity Management

  Samsung SDS ensures business continuity by applying the business continuity plans for each service. It allows core business operations to continue even in the face of disruptions such as disasters and emergencies. Samsung SDS's business continuity plans tailored for each service are prepared for disasters and emergencies. Samsung SDS operates disaster recovery centers and conducts regular drills to ensure the effectiveness of the disaster recovery plans. When necessary, Samsung SDS analyzes the results to improve and maintain the disaster recovery plans.

• H. Legal Compliance

  Samsung SDS's information security policy complies with relevant laws and regulations related to information security, thereby managing to prevent losses resulting from legal violations. Samsung Security Center collaborates with the Legal Service Team and Privacy Management Group to establish relevant policies and operate to ensure that all personnel and systems within the scope of the security management system are managed in compliance with information security laws and regulations, and this includes regular audits. Additionally, legal amendments are periodically reviewed ensuring policies are updated accordingly.

• I. Security Education

  Samsung SDS requires confidentiality agreement on company information security policies and compliance with related laws from all personnel within the management system, including executives and employees and business partners, and regularly performs and manages security awareness improvement activities such as information protection education. Confidentiality agreement is required from all personnel, including employees, partner companies, and visitors to the workplace, to comply with the company's policies, including the information security policy, giving them responsibility for protecting information assets. In addition, regular information security education and continuous training and campaign activities are conducted to raise awareness of information protection to manage the level of security and prevent accidents.

• J. Employee Security Compliance

  Samsung SDS defines and operates information security policy standards that must be observed in all business processes within the company. This regulation gives each employee clear responsibilities and obligations. To ensure the established information security management system operates appropriately and securely, Samsung SDS clearly outlines specific requirements that employees must adhere to for each sub-item. The obligations and responsibilities of all employees are managed to fulfill their roles effectively. Disciplinary or sanction actions can be taken for employees who violate security policies and/or procedures depending on the severity of the violation.

• K. Discipline

  Samsung SDS defines and operates disciplinary standards for violations of regulations. Considering the importance of information security policies and the impact of violations, disciplinary standards for each situation are defined and announced to all employees.

Data breach/incident

Samsung SDS has complete charge department that monitors risk factors that threaten IT system
security 24x365 and responds to and manages security incidents such as system hacking, infringement, and data leakage.

• Prevention Activities
  1. Regular/Irregular security inspection and simulation hacking
  2. Notice major security vulnerable points and actions to be taken.
• Risk Detection
  1. Detecting incidents through security monitoring system and risks through security solution
• Incident Response
  1. Assessing importance based on impact criteria and taking immediate action/response.
• Reporting
  1. Reporting on the results of actions taken and investigating the causes of incidents.
• Follow-up Actions
  1. Establishing measures to prevent recurrence
  2. Conducting compliance checks on implementation.

• "Website hacking control","DDoS control","APT control","Malicious code control" are connected to the Security Control Center
• Hacker > DDoS attacks > website hacking, Website hacking control, DDoS control
• Affected Site > Infection with malicious code > Malicious code control > Firewall control > On-Site : Customers' PCs

• Website hacking control
  • Cloud control > Cloud : websites
  • Domestic/Overseas IDC/On-Site : Websites Within IDC
• DDoS control
• APT control > data Leakage > Hacker
• Malicious code control

• Cloud : websites
• Domestic/Overseas IDC/On-Site : Websites Within IDC
• On-Site : Customers' PCs > APT control > Data Leakage > Hacker

• Security incident investigation
• Forensics
• Preventing the spread of damage

• Root cause analysis
• Measures to prevent recurrence
• Preventing the expansion of the impact

• Post-incident management
• Implementation status check/audit
• Revision of related Security Policies
• Relevant security education/training

Information security organizational culture

Samsung SDS is creating and spreading a culture to improve the maturity of internal information security
awareness, and providing various information security activities to raise employees' awareness of security.

• Information
  security training

  We offer training on information security every year to internalize the security capabilities of all employees including overseas, subsidiaries and partner company. There are specific education programs to understand company's information security regulations for new employees and customized education for each specific job type, such as developers or systems. Also we are training security experts through specialized training such as system hacking and risk detection.

• Information
  security campaign

  We periodically send information security letters on security threats, important vulnerabilities, and security compliance matters. Using digital signage in the workplace, major security issues and security compliance matters are spread to employees and visitors.

• Malicious email
  simulation training

  We are developing scenarios for high-risk vulnerabilities and producing and sending malicious mail content. If an infection is confirmed, we are trying to reduce the infection risk rate through follow-up management on infection prevention.

• Information
  security portal

  We operate a dedicated information security portal to promote communication between employees and information security departments. We provide a channel for reporting and informing cyber security incidents.

• In-house
  hacking competition

  We design scenarios for high-risk vulnerabilities and create and send malicious email simulations targeting employees at the SDSK, partner company, overseas, and subsidiaries. If case high-risk behaviors and identified, we strive to minimize the risk of infection through follow-up management aimed at prevention in the future.