Information Protection Policy
Coway has established information-protection policies and guidelines to protect private information of its customers and is operating information-protection systems based on principles.
Coway has divided its information-protection regulations into policies on basic principles of information protection and guidelines for each detailed information protection practice area in order for employees to easily apply them to their actual work.
Information-protection policies and guidelines are established and revised after going through a regular review process in order to reflect ever-expanding information-protection areas according to changes in the business environment.
In 2023, regarding a total of 16 existing information-protection guidelines, such as the request for disclosure by information entities, separation and establishment of the article on fixed and portable video information process devices, and others, in accordance with the recent second revision of the Personal Information Protection Act, we reflected them in the compliance details of laws related to the information-protection protection and revised details reflected in the current business accordingly.
Coway thoroughly protects information by applying all guidelines and policies related to personal information not only to its internal business areas but also to operational organizations, consignees and business partners.
Guarantee of Data Subject‘s Private Information Rights
Coway is swiftly responding to requests made by data subjects to delete personal information or matters received through the *e-Privacy Clean Service so as to guarantee rights of data subjects.
* The e-Privacy Clean Service: It is a service for data subjects to exercise their rights, which is operated by the Personal Information Protection Committee. It helps users to check previously subscribed websites through their ID verification records and supports them to withdrawal from unnecessary websites.
Information Security Management System
With the increase in various IoT products and services and changes in new technologies, businesses, and environments, corporate responsibilities for information protection and personal information protection are gradually increasing.
Coway is fully aware of this matter and establishes and operates information- protection management systems. Together with information protection and personal information protection organizations, the Information Protection Committee discusses major agendas and makes decisions for the management to participate in the overall activities for protecting information.
By establishing the company-wide information protection governance, we are striving to provide services for our customers to safely use.
Organization Dedicated to Information Protection and Private Information Protection
In the Information Protection Committee made up of executives, the Chief Information Protection Officer (CISO) that meets the requirements set by the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and has ‘more than 10 years of experience in performing work in the field of information protection or information technology’ serves as the chairperson, and heads of related departments attend as members of the Information Protection Committee.
Activities related to information protection, such as information protection audit, information protection training, information protection awareness promotion, mock training, etc.,, are carried out by the information-security team, which is a department in charge. Through close cooperation with relevant departments, periodic monitoring, and risk management, we work hard to establish a thorough information-protection system and protect private information.
Organizational Chart of Information Protection and Private Information Protection
Formation of Information Protection Committee
Main Activities Conducted by the Information Protection Committee in 2023
Following the second amendment to the Personal Information Protection Act in September, 2023, private information regulations in both online and offline areas were intensified, making it more important to manage private information.
The Information Protection Committee has completely revised the information protection policies and guidelines to reflect the compliance matters regarding the revised laws for personal-information protection and current business operations. By doing so, we are actively protecting customer rights and more practically and systematically operating the information-protection management system both in online and offline areas.
Information Protection Certification
Coway has acquired information protection certification from an accredited third party by obtaining domestic and international certificates for personal information security and personal information protection. And we are beefing up the level of information protection every year through post-examinations (every year) and renewal examinations (every three years).
Information Security and Private Information Protection System
Information Protection Policy
Coway has established information-protection policies and guidelines to protect private information of its customers and is operating information-protection systems based on principles. Coway has divided its information-protection regulations into policies on basic principles of information protection and guidelines for each detailed information protection practice area in order for employees to easily apply them to their actual work. Information-protection policies and guidelines are established and revised after going through a regular review process in order to reflect ever-expanding information-protection areas according to changes in the business environment. In 2023, regarding a total of 16 existing information-protection guidelines, such as the request for disclosure by information entities, separation and establishment of the article on fixed and portable video information process devices, and others, in accordance with the recent second revision of the Personal Information Protection Act, we reflected them in the compliance details of laws related to the information-protection protection and revised details reflected in the current business accordingly. Coway thoroughly protects information by applying all guidelines and policies related to personal information not only to its internal business areas but also to operational organizations, consignees and business partners.
Guarantee of Data Subject‘s Private Information Rights
Coway is swiftly responding to requests made by data subjects to delete personal information or matters received through the *e-Privacy Clean Service so as to guarantee rights of data subjects.
* The e-Privacy Clean Service: It is a service for data subjects to exercise their rights, which is operated by the Personal Information Protection Committee. It helps users to check previously subscribed websites through their ID verification records and supports them to withdrawal from unnecessary websites.
Information Security Management System
With the increase in various IoT products and services and changes in new technologies, businesses, and environments, corporate responsibilities for information protection and personal information protection are gradually increasing. Coway is fully aware of this matter and establishes and operates information- protection management systems. Together with information protection and personal information protection organizations, the Information Protection Committee discusses major agendas and makes decisions for the management to participate in the overall activities for protecting information. By establishing the company-wide information protection governance, we are striving to provide services for our customers to safely use.
Organization Dedicated to Information Protection and Private Information Protection
In the Information Protection Committee made up of executives, the Chief Information Protection Officer (CISO) that meets the requirements set by the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and has ‘more than 10 years of experience in performing work in the field of information protection or information technology’ serves as the chairperson, and heads of related departments attend as members of the Information Protection Committee. Activities related to information protection, such as information protection audit, information protection training, information protection awareness promotion, mock training, etc.,, are carried out by the information-security team, which is a department in charge. Through close cooperation with relevant departments, periodic monitoring, and risk management, we work hard to establish a thorough information-protection system and protect private information.
Organizational Chart of Information Protection and Private Information Protection
Formation of Information Protection Committee
Main Activities Conducted by the Information Protection Committee in 2023
Following the second amendment to the Personal Information Protection Act in September, 2023, private information regulations in both online and offline areas were intensified, making it more important to manage private information. The Information Protection Committee has completely revised the information protection policies and guidelines to reflect the compliance matters regarding the revised laws for personal-information protection and current business operations. By doing so, we are actively protecting customer rights and more practically and systematically operating the information-protection management system both in online and offline areas.
Main Activities and Performance
Checking private information access records/destruction status
Notifying data subjects of details on the use of their information, resolving complaints and conflicts
Renewing ISO 27001 certification and acquiring ISO 27701 certification
Acquiring ISMP-P certification
Improving the operation of the security system
Checking security system access rights and unnecessary policies
Detecting and responding to PC security vulnerabilities and information leakage threats
Inspecting security of main business sites and operational sites and providing training
Activities for information security campaign and case dissemination
Distributing on-site information security customized guides
Implementing IDC mock training
Implementing disaster recovery mock trainings for grade 1 failure situations once a year
Implementing private information leakage mock training once a year
Reviewing security and taking actions to remove company-wide risks
Strengthening END-POINT security risk detection and minimizing security blind spots
Checking the status of information protection management system
Checking the security management status of business partners and consignees
Information Protection Certification
Coway has acquired information protection certification from an accredited third party by obtaining domestic and international certificates for personal information security and personal information protection. And we are beefing up the level of information protection every year through post-examinations (every year) and renewal examinations (every three years).
Status of Information Protection Certification
Domestic
International
2022.06.15 ~ 2025.06.14
2023.12.21 ~ 2026.12.20
Korea Internet & Security Agency (KISA)
DNV
Coway online services (coway.com, cosmetics)
Coway online services: 11 services in total, including coway.com, cosmetic on-line service, and corporate site
Business apps: A total of 5 services, including Cody App, Home Care Doctor App, Smart Sales App, and Service Manager App
Enhancing business stability through information protection risk management
Complying with information protection laws for ethics and transparent management
Minimizing social and economic damages from infringement accidents and collective lawsuits
Complying with laws related to information protection and personal information protection that meet international requirements
Providing systemic risk management environments against information protection threats
Improving external credibility when obtaining certification for the prevention of information leakage
Information Security and Private Information Protection Strategies
Information Protection Risk Monitoring
Based on the abnormality-detecting system, Coway conducted monthly inspections by selecting risk factors, including large-scale inquiries and export of private information and activities beyond working hours, in 2023. If a suspected case of violating security policies is confirmed, we take action to prevent such cases. In addition, we have strengthened operational stability and monitoring by replacing outdated security systems so as to respond to new security threats. We have also implemented mock training for all employees, our business partners and their partners to respond to malicious emails. In addition, we have checked the sustainability of our information protection system by diagnosing infrastructure vulnerabilities, reviewing security and verifying the efficiency of disaster recovery procedures.
Follow-up Measures after Security Accidents
Through security-incident response guidelines and guides, we promptly respond to prevent the spread of damage. According to the severity and types of security incidents and the scope of damage, we have established a four-step treat-alerting standard and formed a security incident response team as a control tower when facing incidents in order to have a company-wide responsive system in place.
Security Review Process
Requests for security reviews
Establishing a plan for security reviews
Implementing security reviews
Follow-up management
Responsive System for Infringements of Private Information Protection
When facing personal-information infringement incidents and information- leakage cases, we operate an incident responsive system in which we make a swift initial response to minimize secondary damage. Coway has divided incidents related to personal information into infringements and leakages (personal information leakages and internal information leakages) to come up with type-based responsive measures. By operating a security control and all-time monitoring system, we make an immediate report on suspected security incidents to persons in charge of information security and form a relevant responsive team. In response to an incident, we go through the process of taking initial actions, identifying the case, and collecting and preserving evidence so as to scrutinize the information leakage route and others. During the follow-up process, we establish measure to prevent recurrence and work hard to take actions accordingly and normalize the service. By preparing such a responsive system, Coway organizes the incident route, countermeasures and others to prevent recurrence and distributes and trains them to relevant departments on a regular basis.
Responsive System Process
Remote security control
Malicious code infections (worm/virus)
Hacking attacks (website forgery/falsification, transit abuse)
DDoS attacks, etc.
Remote security control
Private information leakage
Internal information leakage
Remote security control
Accident-recognizing departments:
Reporting suspected security accidents to persons in charge of information protection
I. Responding to infringement incidents
Internal report,
Reporting to national agencies
Forming a security accident responsive team
Ⅱ. Responding to private information leakage
Reporting accidents and notifying customers
Forming an accident responsive team and convening an emergency executive meeting
Ⅲ. Responding to internal information leakage
Internal report,
Reporting to national agencies (when necessary)
Forming a security accident responsive team
Reporting to the CEO
Reporting to the CISO
i
ng
t
o
i
nc
i
den
t
s
F/W blocking, ACL policy application, NMS monitoring, vaccine
Minimizing leakage damage
Prohibiting additional information leakage
i
se
ana
l
ys
i
s
Gathering and analyzing system logs (existence of falsification and others)
Checking recently-changed files, programs and services
Checking hidden or abnormal processes
Checking abnormal ports and external connections
Finding out leakage route,
Responding to customer complaints,
Damage relief
Interview
Forensic
Collecting evidence
Reporting to the CISO
Normalizing services,
Actions for supplementation and against recurrence
Monitoring countermeasures,
Establishing measures against recurrence
Disciplinary actions, and civil or criminal charges,
Establishing measures against recurrence
Reporting to the CEO
Reporting to the CISO
Information Security and Private Information Protection Activities and Goals
Increasing the Awareness of Information Security and Private Information Protection
In order to raise employees‘awareness of information protection, Coway conducts information security training for all employees twice a year. And through periodic information security campaigns, we strive to increase the implementation of information security and intensity security-related capabilities.
Information Security Training for Employees
Information Security Campaign
Preventing security accidents that may occur in working environments through Clean Desk activities
Coway‘s Training against Malicious emails Coway conducts responsive training on a regular basis to raise employees‘awareness of the response to malicious emails. The number of employees subject to the training is about 6,072 persons (as of 2023) that use Coway email (@coway.com) account, and various types of suspicious points are delivered in emails during the training. Some of the suspicious points include unclear sending email addresses, service name errors, unknown attachments, requests to enter personal information, and others, aiming to help employees take preventive actions by themselves.
Information Protection Investment
Coway is obliged to disclose information-protection details and has been disclosing the status of the company's information protection investment, human resources, certification, and activities in accordance with the Act on the Promotion of Information Security Industry since 2022. The purpose of this system is to encourage and vitalize voluntary information protection investments by ensuring users‘ safe Internet use and making companies consider the information protection as an important element in doing their businesses. As of the end of 2023, the amount of money invested in the information protection area by Coway stood at 3.6 billion Won in total, accounting for 4.7% of the IT budget. We are continuously increasing our attention to and investment in information protection.
Information Protection Investment Status
Information Security Goals
Coway has established and is managing a mid-and long-term road map to minimize internal and external security risks and prepare a global-level security management system.
Mid-and Long-term Road Map for Information Security