Skip to content

지속가능경영보고서

Sustainability report 2024 다운로드

Information Security

Information Security

Key Visual
Information Security
Management System

Hanwha Ocean, under our information security management system, implements activities to ensure information security systematically. In particular, we adhere to relevant laws and regulations such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection to protect the company’s critical information assets and prevent damages such as data breach and system paralysis due to cyberattacks. To this end, we appoint and report to the Chief Information Security Officer (CISO) under the management organization and operate the Information Security Committee.

Management organization
Images
  • CEO
  • Information
    Security Committee
  • CISO
    Regulatory authorities &
    associations
    • National Intelligence Service & Ministry of Trade, Industry and Energy
    • Supreme Prosecutors’ Office & National Police Agency
    • Security-related associations
    Defense & Security
    (Naval and specialty Ships)
  • Information Security Working Committee
    • Field departments
    • Security Management (Organizational Lead)
    • Security Manager
    • Field departments
    • Security Management (Organizational Lead)
    • Security Manager
    • Field departments
    • Security Management (Organizational Lead)
    • Security Manager
    • Field departments
    • Security Management (Organizational Lead)
    • Security Manager
Management organization table
Key Decision Making Bodies Information Security Committee Information Security Working Committee
Operation Cycle Operated at executive meetings chaired by the chairperson Operated as needed when issues arise
Roles Chairperson: CEO

  • Review the appropriateness and effectiveness of major security management policies
  • Deliberate on incident handling related to industrial security reports(rewards, disciplinary actions)
  • Review matters concerning transfer and acquisition of national core technologies
  • Review the appropriateness of security classification for national core technologies
  • Review mid-to long-term security management roadmaps
  • Other matters requiring consultation and coordination in security management operations
 Chairperson: CISO

  • Review and deliberate on major security management policies and issues
  • Other matters delegated by the Information Security Committee
Scope Information Security Management System for Design and Production Technology Information
Security Incident Prevention

Hanwha Ocean has identified leakage of security data by employees and hacking by hacking (spam) mail as major risks, and is strengthening employee education and publicity to prevent them. We designate the first Monday of each month as a company-wide security day, where employees are mandated to read the security training materials to raise their awareness. In addition, we established procedures for reporting spam e-mails, and we conduct mock drills in response to such e-mails to prevent hacking. The results of drills conducted by each department are shared with all employees to raise their security awareness. Additionally, we use the security statement to accurately share company polices and the information assets that need to be protected.

Security Incident Prevention and Response table
Phishing e-mails
response drills		 PR activities via interactives & Oceanview
(internal media)		 CEO’s message
(security statement)
4 17 1
Phishing e-mails response drills result
Phishing e-mails response drills result table
Classification 2023 2024
Infection rate(%) 7.9% 2.8%
Report rate(%) 20.5% 41%
Images
Assets to be protected
  1. The company’s confidential information, national core technology, and personal data
  2. Critical business information generated and managed while carrying out businesses
  3. Facilities, media, and devices of the information system for providing business support
  4. Work environment related to physical places and equipment related to business operations
Asset protection policy
  1. Establish and implement a security management system to protect tangible and intangible assets.
  2. Establish and implement administrative, physical, and technical security policies for tangible and intangible assets.
  3. Establish and implement training plans to enhance the security policy compliance of all employees.
  4. Establish and implement basic measures for security incident management, business continuity, and regulatory compliance.
Security Incident Response

We operate an emergency response system to promptly address intrusion incidents and prevent leakage of critical internal technical data. All employees must immediately report any suspected or recognized incidents during work to the IT security manager. Furthermore, if an incident by information security-related agencies is notified, it is also recognized as an intrusion incident and responded to swiftly. The Incident Response Team, composed of experts from various fields, performs rapid and effective emergency responses according to their respective roles for all reported incidents.

Security Incident Response Procedures
Images
Information Security Activities

Since 2022, Hanwha Ocean has been operating the Hanwha Ocean Cybersecurity Operations Center in cooperation with cybersecurity companies for active security control, real-time threat detection, and systematic response. In addition, to prepare for the increasing number of cyber attacks, we are developing a mid-to-long-term strategy for information security through security consulting. We are also continuing to invest in improving institutional frameworks and maintaining our systems. The following table summarizes the status of our security system by item using information and communications technology (ICT).

Hanwha Ocean ICT Security System
Hanwha Ocean ICT Security System table
Category Status
Network Security To prevent cyber intrusion incidents, internet segment security systems such as internet firewalls, intrusion detection/prevention, DDoS defense, and spam mail blocking systems are operated. Additionally, connection of unauthorized terminals or those without mandatory security programs to the company network is fundamentally blocked.
Client Security To prevent external data leakage of internal information assets, security policies such as document encryption, printout security, media security, and external upload control are operated. For intrusion prevention via internal terminals, various security programs including antivirus software, Endpoint Detection and Response (EDR) & Advanced Persistent Threat (APT) response, and unauthorized program installation blocking are applied to maintain a secure work environment.
Defense Industry Security A dedicated security system approved by government agencies is established and operated to protect defense industry technology.
Servers/DB/Application Security Key IT services and infrastructure within the data center are protected by security systems such as server farm firewalls, web firewalls, web shell detection systems, and access control systems (server/DB), etc. Additionally, applications undergo stepwise development security measures (secure coding, penetration testing) to verify safety and continuously enhance security levels.
Integrated Security Control The Cybersecurity Control Center operates 24/7 real-time security monitoring yearround. Through packet analysis, it promptly responds to internal and external IT attacks and information leakage threats. It receives real-time updates on the latest vulnerabilities and threat information from national agencies and non-profit security organizations and operates a security system with an automated and visualized integrated security monitoring system.
Vulnerability Diagnosis Regular group-wide vulnerability diagnostics are conducted on key internal infrastructure and applications. Continuous vulnerability assessments and penetration tests proactively identify and improve security weaknesses to build a safer IT environment.
International
Certifications
on
Information Security

As an industry-leading technology company, Hanwha Ocean establishes various policies and engages in diverse activities to comply with international standards and both domestic and foreign law s to protect critical information, including national core technologies. As the foundation for this, we have obtained and maintained ISO/IEC certifications (27001 and 27017), which are international standards for corporate information security management systems.

  • Images
Information Security
Training

Hanwha Ocean conducts both online and offline information security training for all personnel, including supplier employees, using various training materials. Shipbuilding, which is our core business, is considered a national core technology. Accordingly, we are required to comply with guidelines under the Act on Prevention of Divulgence and Protection of Industrial Technology. Moreover, we work hard to prevent information leakage not only for new hires but also for security personnel and those scheduled to retire. As for our suppliers, we promote internal security inspection regulations and conduct access control for internal security management.

Information Security Training table
Classification Target Description
Offline training New hires Industrial security, national core technology, and phishing email simulation training , and access control
By job function Laws related to national core technologies
Training in preparation for information security management system certifications (ISO 27001/27017)
Phishing email simulation training
Suppliers Internal security management, industrial security, national core technology, and access control
Promotion of security inspection content related to suppliers
Online training By job function
  • Laws related to national core technologies
  • Phishing email simulation training
  • Company regulations on technology protection
  • Security training for employees scheduled to retire
Distribution of training materials Security training for national core technologies