Digital Responsibility

Samsung SDS has a Chief Information Security Officer (CISO) with expertise in information security.
CISO has actual authority and responsibility operate an information security management system.

CEO
  • CEO
      • CISO - Samsung Security Center
      • CPO - Legal Service Team
        • Information Security Management Council
        • Corporate Information Security Department - Information Security Group
          • Datacenter Security Department
          • Development Security Department
          • Security Verification Department
          • Quality Security Department

We are striving to minimize the company's security risks and protect the company's information assets
forming a security organization and conducting regular management reviews of Information Security Management Council.

Information Security Policy

Samsung SDS has established and operated the standard for information security management systems complying with legal obligations to protect all the information assets by reducing internal and external security risk factors.

Samsung SDS HQ presents the standards to overseas corporations and subsidiaries so that they can establish and operate information security policies considering the business environment of each country and company within the basic policy of Samsung SDS' security policy.

  • Samsung SDS has established and operated security regulations and guidelines that all employees must comply with to reduce security risks and maintain the consistency of security controls throughout the organization. Samsung SDS defines basic principles in its security regulations and operates an information security guideline that presents detailed implementation standards according to the principles defined in the regulation. The policy applies to all personnel with access to in-house information assets and systems, including physical assets. In order to reflect changes in legal requirements, business characteristics, and work environment, and to respond to new threats, a revision review is conducted at least twice a year. Overseas corporations and subsidiaries have separate security policies considering local laws and regulations of their countries and business environments within the basic regulation and guideline of SDS’s security policy.

  • Samsung SDS designates a CISO(Chief Information Security Officer) and maintains a dedicated information security organization to ensure the proper establishment and operation of its information security policy. The security organization consists of security departments by division centering on the corporate information security department. Under the supervision of the CISO, the Information Security Management Council regularly operates including security department executives and department heads. Samsung SDS HQ dispatches security expatriates to overseas corporations and subsidiaries, delegates responsibility for security management. The head office holds a regular meeting once a month with all expatriates of each overseas corporations or subsidiary. Subsidiaries are also required to select security managers for each company, and a system is being established so that the headquarters and subsidiary managers can communicate actively.

  • Samsung SDS identifies and classifies all internal information assets according to defined criteria and applies tailored management policies based on their characteristics, ensuring the secure protection of critical information, including personal data, and internal information assets. Samsung SDS identifies all in-house information assets, classifies them according to defined criteria and applies protective policies tailored to their characteristics. It implements access control and protection of all the information assets including personal/sensitive data.

  • Samsung SDS's data protection policy includes physical security policies and management procedures for all company premises, including office buildings, data centers including IDCs, to ensure a secure working environment and protect all facilities and information assets within the premises. These policies and procedures are consistently implemented across all company-operated locations. At each business location, physical security measures such as fences, walls, barriers, security personnel, gates, and more are implemented to create a secure physical security perimeter. Access is restricted in accordance with security classifications and tailored entry and exit procedures based on the characteristics of each operation, allowing only authorized personnel and approved visitors to access designated areas. This approach helps monitor and prevent information asset leaks and unauthorized access.

  • Samsung SDS's security management system, including servers, networks, databases, application systems, cloud services and others, protects the company's information assets and secures the services. Regular audits are conducted to ensure compliance and effectiveness. Samsung SDS has established standards for access rights, user accounts, encryption of sensitive information, remote access, and other security aspects for all information systems. Systems are managed in a manner that considers the security vulnerabilities and operational characteristics of each system, ensuring they are used securely within approved boundaries. In addition, Samsung SDS conducts regular security assessments, including penetration testing and security reviews, to protect services and internal data, and to prepare for new vulnerabilities.

  • Samsung SDS ensures business continuity by establishing and operating a business continuity plan for each service so that core systems and services can be performed without interruption due to disasters and other effects. Samsung SDS employs security monitoring to proactively prevent external attacks such as hacking, DDoS attacks, and cyber intrusions. This includes real-time detection and response capabilities. Detailed management systems are in place to address security threats considering their scope and impact. In the event of an incident, measures are taken to minimize damage, swiftly identify the root causes, and prevent further spread. All incidents are thoroughly analyzed and the lessons learned are incorporated into the management system to apply preventive measures against future occurrences.

  • Samsung SDS ensures business continuity by applying the business continuity plans for each service. It allows core business operations to continue even in the face of disruptions such as disasters and emergencies. Samsung SDS's business continuity plans tailored for each service are prepared for disasters and emergencies. Samsung SDS operates disaster recovery centers and conducts regular drills to ensure the effectiveness of the disaster recovery plans. When necessary, Samsung SDS analyzes the results to improve and maintain the disaster recovery plans.

  • Samsung SDS's information security policy complies with relevant laws and regulations related to information security, thereby managing to prevent losses resulting from legal violations. Samsung Security Center collaborates with the Legal Service Team and Privacy Management Group to establish relevant policies and operate to ensure that all personnel and systems within the scope of the security management system are managed in compliance with information security laws and regulations, and this includes regular audits. Additionally, legal amendments are periodically reviewed ensuring policies are updated accordingly.

  • Samsung SDS requires all employees, as well as contractors and collaborators, to sign agreements that include clauses obligating them to comply with the company's information security policy and relevant laws. They also conduct regular information security training to enhance the awareness of security among members and manage this process effectively. Samsung SDS imposes responsibility for information asset protection and related matters by operating and requiring information security pledges from all personnel within the company's management system, ensuring compliance with company policies, including the information security policy. Additionally, regular information security training and ongoing security awareness campaigns are conducted to enhance the understanding of information security among employees, raise awareness of its importance, and manage security levels based on specific job roles, particular times, and hierarchical positions. Security training is also provided to prevent security incidents.

  • Samsung SDS defines and operates information security policy standards that must be observed in all business processes within the company. This regulation gives each employee clear responsibilities and obligations. To ensure the established information security management system operates appropriately and securely, Samsung SDS clearly outlines specific requirements that employees must adhere to for each sub-item. The obligations and responsibilities of all employees are managed to fulfill their roles effectively. Disciplinary or sanction actions can be taken for employees who violate security policies and/or procedures depending on the severity of the violation.

  • Samsung SDS defines and operates disciplinary standards for violations of regulations. Considering the importance of information security policies and the impact of violations, disciplinary standards for each situation are defined and announced to all employees.

Prevention activities

Samsung SDS has established a Data Protection Policy to reduce internal and external security risks, protect all
information assets, and provide secure services.

An integrated support meeting > Security design > Development > Test > Security verification > Service operation

Confirmation of the system.

The definition of security requirements.

The implementation of automatic/regular security inspection through the application of DevSecOps.
  • ① Source codesecurity inspection
  • ② Open Source security inspection
  • ③ Credential security inspection
  • ④ Container imagesecurity inspection
  • ⑤ The dynamic security inspection

The vulnerability inspection. (source code, open source server,network,cloud etc)

Simulated hacking

The vulnerability inspection

Simulated hacking

Personal information protection inspection.

Automatic inspection of important vulnerabilities.

Regular security inspections are carried out for management security, physical security of the workplace,
IT security such as PC/server/network/application, and cloud, and it is conducted not only in Korea
but also for businesses and assets of corporations and subsidiaries.

Data breach/incident

Samsung SDS has complete charge department that monitors risk factors that threaten IT system
security 24x365 and responds to and manages security incidents such as system hacking, infringement, and data leakage.

  • Prevention Activities
    1. Regular/Irregular security inspection and simulation hacking
    2. Notice major security vulnerable points and actions to be taken.
  • Risk Detection
    1. Detecting incidents through security monitoring system and risks through security solution
  • Incident Response
    1. Assessing importance based on impact criteria and taking immediate action/response.
  • Reporting
    1. Reporting on the results of actions taken and investigating the causes of incidents.
  • Follow-up Actions
    1. Establishing measures to prevent recurrence
    2. Conducting compliance checks on implementation.
  • "Website hacking control","DDoS control","APT control","Malicious code control" are connected to the Security Control Center
  • Hacker > DDoS attacks > website hacking, Website hacking control, DDoS control
  • Affected Site > Infection with malicious code > Malicious code control > Firewall control > On-Site : Customers' PCs
  • Website hacking control
    • Cloud control > Cloud : websites
    • Domestic/Overseas IDC/On-Site : Websites Within IDC
  • DDoS control
  • APT control > data Leakage > Hacker
  • Malicious code control
  • Cloud : websites
  • Domestic/Overseas IDC/On-Site : Websites Within IDC
  • On-Site : Customers' PCs > APT control > Data Leakage > Hacker
  • Security incident investigation
  • Forensics
  • Preventing the spread of damage
  • Root cause analysis
  • Measures to prevent recurrence
  • Preventing the expansion of the impact
  • Post-incident management
  • Implementation status check/audit
  • Revision of related Security Policies
  • Relevant security education/training
Certification and Audit

Samsung SDS enhances the reliability of our information security management system by regularly auditing
our information security policies and systems with reputable domestic and foreign institutions.

Certifications
  • ISMS symbol images ISMS
  • ISMS-P symbol images ISMS-P
  • ISO27017 symbol images ISO27017
  • CSA STAR symbol images CSA STAR
  • ISO27018 symbol images ISO27018
  • CSAP symbol images CSAP
  • ISO27001 symbol images ISO27001
  • ISO27799 symbol images ISO27799
  • ISO28000 symbol images ISO28000
Extent of data protection and privacy program certification (ISO 27001) (As of Dec 31, 2023)
Extent of data protection and privacy program certification (ISO 27001) info table
Category Domestic(HQ & Subsidiary) Overseas Subsidiary Total
ISO 27001 Scope 5 Data Centers cover HQ & Subsidiaries’ data protection and privacy.
(Sangam, Suwon, Chuncheon, Gumi, Dongtan)
12 Data Centers cover all overseas Subsidiaries’ data protection and privacy.
(New Jersey, Austin, Dallas, London, Frankfurt, Beijing, Shanghai, Singapore, Hanoi, New Delhi, Bengaluru, Sao Paulo)
-
OS
Storage
Storage
(PB)
142.6 7.8 150.4
Coverage 100% 64% -
Total Coverage 94.8% 3.3% 98.1%
Evaluation/Audit.
  • CSP Stability Evaluation.

  • The audit
    of accounting.

  • Direct information communication facilities.

  • Major
    information and communication infrastructure

Information security organizational culture

Samsung SDS is creating and spreading a culture to improve the maturity of internal information security
awareness, and providing various information security activities to raise employees' awareness of security.

  • Information
    security training

    We offer training on information security every year to internalize the security capabilities of all employees. There are specific education programs to understand company's information security regulations for new employees and customized education for each specific job type, such as developers or systems. Also we are training security experts through specialized training such as system hacking and risk detection.

  • Information
    security campaign

    We periodically send information security letters on security threats, important vulnerabilities, and security compliance matters. Using digital signage in the workplace, major security issues and security compliance matters are spread to employees and visitors.

  • Malicious email
    simulation training

    We are developing scenarios for high-risk vulnerabilities and producing and sending malicious mail content. If an infection is confirmed, we are trying to reduce the infection risk rate through follow-up management on infection prevention.

  • Information
    security portal

    We operate a dedicated information security portal to promote communication between employees and information security departments. We provide a channel for reporting and informing cyber security incidents.

  • In-house
    hacking competition

    We are providing challenges to improve understanding of major security items to be considered when developing and operating a system by conducting an in-house online hacking problem solving contest.

Data protection programs for business partners

Samsung SDS is applying information security regulations that complies with our information security standards to business partners. It helps raise security awareness and improve data protection capabilities to prevent security incidents that may occur during collaboration.

Contract Agreement
with business partner.
  • Assess the security level of the partner company
  • Define security requirements and reflect the requirements in contracts
  • Request for a security pledge
Performing
collaborative work
  • Apply the same information security policy and process as SDS’s employee
  • Conduct data security training
  • Check security compliance and security management status
  • Perform simulated malicious email training and information security campaigns
Termination of Contract
with partners
  • Returning/Destroying Information assets and devices
  • Confirm the destruction of critical information assets
  • Deleting accounts and permissions of personnel whose contract has ended
  • Request a contract termination confirmation
Share