Data Protection

We create a sustainable future where people, society and the environment will coexist.

Policy

SK ecoplant's top priority in terms of information security is the protection of customers' personal information and our trade secrets, as well as the trade secrets of our customers. To this end, we have established a comprehensive security management system from human, physical, and system resource perspectives, encompassing all areas of security. In addition, we constantly promote activities to enhance the security level of newly joined subsidiaries, bringing them in line with our own standards. Access control for key data is implemented based on three access control rules*, and 24/7 monitoring is operated for strict data protection. Furthermore, regular assessments, inspections, and audits are carried out to confirm and improve compliance with information protection policies and the proper implementation of protection measures.
A Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) were appointed to handle corporate and customer data. In addition, the Information Protection Council meets twice a year to identify and respond to risks to personal information management and security, and to develop and revise related measures. In 2021, three new information security guidelines were established with respect to IT disaster recovery, cloud, and remote work.

① Need to know
② Least privilege policy
③ Separation of duties

Dedicated Security Organization

전담 보안조직 1 에 관한 이미지 입니다. 자세한 설명은 하단 내용을 참고하세요.
Mission - 우리는 회사의 보안 위험을 관리하여 회사의 안정적 운영과 경영목표 달성에 기여합니다.
Vision 2025 - Security Leader for Global Environmental Company (Security Framework)
  • 1 보안 Governance
  • 2 보안정책
  • 3 보안 인식교육, 홍보, 변화관리
  • 4 자산 분류 및 위험분석
  • 5 인사 보안
  • 6 내부 정보 보호
  • 7 IT 보안
  • 8 물리 보안
  • 9 보안 진단, 점검, 감사
  • 10 보안사고 조사 및 처리
  • 11 보안위기관리
전담 보안조직 2 에 관한 이미지 입니다. 자세한 설명은 하단 내용을 참고하세요.
CISO (Chief Information Security Officer)
정보보호팀 - 전사 정보보호 총괄, 전사 보안 목표, 비전 수립

기획·감사 파트

  • 전사 보안 기획
  • 보안 감사
  • 그룹 Comm.
  • 개인정보보호
  • 그룹 보안관리체계
  • 인증 (ISMS-P 외)
  • 보안정책 관리
  • 보안 리스크 사전 검토
  • 보안 솔루션 도입

운영·모니터링 파트

  • 보안 솔루션 운영 관리
  • IT 보안 취약점 진단
  • 사이버 모의훈련
  • 보안점검(문서·생활)
  • 보안교육(전사·신규)
  • 정보 유출 모니터링
  • 각종 예외 검토·승인
  • 개인자료 반출
  • 1 Security governance Establishing an organizational system for company-wide security by designating a security manager within the supervisory organization for security (planning and audit), the operational organization, the collaborative organization, and division-specific management organizations.
  • 2 Security policy Establishing and revising the security policies (regulations, rules, operating principles and procedures, and manuals) that represent the company-wide standard for security, and conducting periodic reviews.
  • 3 Management of security awareness education, promotion, and change Running educational and public relations programs to improve employees’ security awareness, as well as change management activities to ensure company security.
  • 4 Asset classification and risk analysis Managing risks by identifying and classifying major company assets and preparing responses through analysis of security risks by asset
  • 5 HR security Supervision of company employees and outsiders
  • 6 Internal data protection Preventing, detecting, and monitoring leaks of internal information (trade secrets, personal information, etc.) and establishing and operating response systems
  • 7 IT security Managing security vulnerabilities in IT infrastructure and information systems, preventing external attacks, detection and monitoring, establishing and operating response systems
  • 8 Physical security Creating and implementing access control for major facilities such as office buildings, as well as physical protection systems for tangible assets
  • 9 Security diagnosis, inspection, & audit Setting up and running security assessments, inspections, and audit systems to gauge company-wide security management levels and compliance with security policies and legislation
  • 10 Security incident investigation and response Investigating security incidents and implementing measures to minimize losses and damage
  • 11 Security crisis management Defining response and recovery procedures for emergencies and urgent events such as accidents, disasters, and intrusions that could cause tangible and intangible losses

Goal

We are improving our information protection system with the aim of achieving zero incidents relating to information leakage and violations. To this end, we have set up a mid- and long-term roadmap, based on the subdivision of the system into core management areas: security governance, cyber threat management, system security, leakage control, physical security, etc. In 2022, we will strengthen our monitoring system for internal information leakage while making greater in-depth improvements – such as introducing a prior approval system for emails sent outside the company and building a safe remote access environment.

정보보호 목표 테이블 (구분, 2022, 2023, 2024)
Type 2022 2023 2024
Controlling Internal Information Leakage
  • 1. Expanding monitoring scope for internal information leakage
    • Interfacing with the new security system and development of scenarios (MFA, etc.)
    • Monitoring activities involving confidential data sharing
    • Monitoring experienced hires for data brought in from their former place of work
  • 2. Installation of a prior approval system for emails sent outside the company
    • Prevention of information leakage through prior approval for internal emails sent outside the company
  • 1. Advancement of monitoring of internal information leakage
    • Detection of irregularities beyond pre-defined scenarios by applying analytic methodology based on machine learning and AI
Acquisition of Information Protection Certification
  • 1. ISMS-P re-audit
  • 2. ISO 27001 surveillance audit
  • 3. ISO 27701 surveillance audit
  • 1. ISMS-P surveillance audit
  • 2. ISO 27001 surveillance audit
  • 3. ISO 27701 surveillance audit
  • 1. ISMS-P surveillance audit
  • 2. ISO 27001 renewal audit
  • 3. ISO 27701 renewal audit
Employee Personal Information Management Protective actions taken for systems processing employee personal data
(41 systems)
Protective actions taken for systems processing employee personal data
(27 systems)
Protective actions taken for systems processing employee personal data
(30 systems)
Improvement of Remote Working Environments
  • 1. Strengthening security for remote working environments
    • Enhancing user authentication (application of MFA)
    • Establishing safe remote access environments for IT and security personnel
Subsidiary Security Management
  • 1. Improving security in newly joined subsidiaries (8 firms)
    • Assessment of subsidiaries’ security management systems
    • Performing quick-win tasks
    • Establishing and improving the standard of security targets
  • 2. Managing existing subsidiaries’ security (1 firm)
    • Assessing implementation of security improvements
  • 1. Improving security in newly joined subsidiaries (as necessary)
    • Assessment of subsidiaries’ security management systems
    • Performing quick-win tasks
    • Establishing and improving the standard of security targets
  • 2. Managing existing subsidiaries’ security (9)
    • Assessing implementation of security improvements
(Repetitive work)
Cloud Security
  • 1. Cloud architecture design
  • 2. Application of Stage 1 cloud security
  • 3. Cloud security reviews (repetitive) Cloud architecture design
    • * Stage 1: Some systems for which transfer to the Cloud is complete
  • 1. Cloud security reviews (repetitive)
  • 1. Application of Stage 2 cloud security
  • 2. Cloud security reviews (repetitive)
    • * Stage 2: All systems for which transfer to the cloud is complete

Performance

SK ecoplant is continuously improving its information protection system through auditing, assessment, and simulation training. self-assessments based on SK Group’s security guidelines, as well as assessments of the security management systems of member companies by the Responsible Management Support Group, SK Group’s internal auditor, are conducted, once a year. Moreover, annual audits of security operations are conducted under different themes every year. In addition to the security system, audits also cover human, physical, and technical aspects. The audit results are reported to the CISO and senior management and reflected in the following year’s security plan.
Moreover, hacking simulations are conducted regularly throughout the year. To enhance employees' awareness of information protection and strengthen their capabilities in this respect, cyber crisis response training on malicious emails, system recovery, changes to encryption keys, and DDoS attacks is held once a year. In 2021, this management system was certified to ISMS-P, as well as ISO 27001 and ISO 27701 for customer information security management, thus enhancing our domestic and overseas credibility.
Through these efforts, we have achieved zero incidents in information leakage and violations for three consecutive years. By setting up an abnormality monitoring system based on big data and further upgrading our monitoring ability for information leakage, we have strengthened our capabilities to respond to any attempt to illegally transfer internal information outside the company.
Aiming to enhance employees’ ability to manage personal information, we have developed and applied reasonable, phased protective measures after assessing the current status of our company-wide system. In addition, a wide range of actions are being implemented – including reinforcement of IT infrastructure in office buildings, diagnosing and resolving vulnerabilities in remote working environments, and examining subsidiaries’ security level – in order to respond to new security risks in line with the changing business environment.

Subsidiary Security Management System
  • Education on SK Group Security Guidelines

    Education on SK Group
    Security Guidelines

  • Assessment

    Conducting internal
    assessment of the security
    management system
    (Initial assessment)

  • Defining the Target

    Defining the target level for
    the security management
    system

  • Implementing the Target

    Conducting urgent
    improvement tasks

  • Assessment

    Conducting internal
    assessments of the security
    management system
    (Regular assessments)

Simulation Training against Cyber Incidents
사이버 위기 대응 모의훈련 테이블 (모의 훈련명, 훈련내용)
Simulation training name Training description
Cyber Simulations Malicious Emails Measuring success rate after sending spear phishing emails for simulation training
Changing Encryption Keys Carrying out training in terms of new encryption key changes, assuming a breach in document security and DB encryption key leakage
System Recovery Training on system recovery and service resumption, assuming server failure
Response to DDoS attacks Inspecting the response to DDoS attacks, such as situational development and interception rate, after a simulated attack
ScrollTop