coway

GRI Indicator: The GRI box shows all relevant indicators on this specific page PR8

Optimization of Information Protection Management

Organizational Structure for Information Protection

We collect personal information from our customers, given the nature of Coway’s rental business. As online sales channels diversify, we are increasingly required to establish an information protection system suitable for the various channels of inflow and handling of customer information. The Chief Privacy Officer (CPO) and the ICT Strategy Division play a central role in the organization of personal information protection.
In order to provide our customers with the service and value they expect from an ultimate care solution, Coway has newly established the ICT Strategy Division by combining the Information Management Team and the Platform Strategy Team. In doing so, we seek to promote service quality by combining product information and inspection service, while making information protection and management more effective by establishing a comprehensive information management structure.

Organization chart

Information Protection Structure

Collect customer information
- Pursuant to the prohibition of collecting resident registration numbers, switch to a substitute key (date of birth, gender, etc.)
Store and utilize information
- Store encoded personal information within database
- Prohibit storage of original copy of personal information file on employees' PCs
Dispose of customer information
- Conduct online training on information protection for all employees
- Carry out document disposal process through external company

Strengthening Information Management Infrastructure

Establish a Comprehensive Security Control System

In order to handle customers’ personal information more safely, Coway has established a comprehensive security control system that collects logs for the entire system through IDC*. This system has enabled effective control and supervision of personal information. Vulnerabilities were also identified and improved by examining the weaknesses of the IDB server system and devising improvement measures.

Reorganize Personal Information Handling Process and Strengthen Control

Coway blocks any leakage of important information by establishing VDI in customer information handling companies and suppliers, ensuring all information handling is done through VDI. Vulnerabilities in the sales information system, such as the web and smartphone app, are examined to minimize exposure of personal information within the sales information system and remove unnecessary information. Coway also operates our Mobile Device Management (MDM) solution to block information leakage while performing service through mobile devices. Through these measures, Coway can effectively respond to viruses or the loss/theft of mobile devices. We hold mock hacking training twice a year and information leakage response training once a year so that employees can better understand the security risks of information protection and management process, as well as enhance our response capability in the event of information leakage.

1) IDC(Internet Data Center)
2) VDI(Virtual Desktop Infrastructure) : A solution providing each user with a virtual desktop and data storage space using the resources of a virtual central server. It is safe from hacking risks and can block data leakage.

Current State of Information Protection Management

Category	Content	Activities in 2017
Information Protection Management System	Operate information protection management system	Continue personal information management system control activities and renew certification
IDC	Operate IDC security solution Mock hacking (twice a year) and information leakage (once a year) response training	Establish account/authority management system Expand participation in mock hacking and response training
DB	Encode personal information DB data control management	Re-establish DB encoding SAP data equipment (personal information)
Personal Information	Strengthen personal information security	Implement personal information retention period system
Paper Documents	Implement on-site document storage policy and install/operate shredders on all sites	Strengthen security functions of multifunction printers
Strengthen security functions of multifunction printers	Operate PC security system	Adopt digital rights management(DRM) solution Adopt document centralization solution
Mobile	Operate mobile device management(MDM)	Improve MDM solution functions
Employees	Conduct training and diagnosis on information protection	Expand subjects of training and diagnosis Conduct mock malicious email training

Promote Security Awareness among Employees

Information Protection Training

Coway strengthens information security by reinforcing our technical capability in information protection and promoting security awareness among employees. In 2016, Coway carried out training on the company’s information protection regulations, case studies on document/personal information protection, and cases/response measures reflecting recent trends in information protection. Online training content for each job category was subdivided into more relevant topics, enhancing the overall effectiveness of the training. We plan to adopt an evaluation system to further increase participation in online learning.

Category	Subject	No. of People who Completed Training	Completion Rate	Note
Online Training	Entry level - Division heads (Including sales personnel)	3,973명	100%	Completed by all employees
Online Training	Resident consignment workers	105	100%	-
Offline Training	Executives	24	100%	Division heads or of higher rank
	Newly hired employees (New/Experienced)	69명	100%	Security education within training program
	New CL* Team heads and staff	392	98%
	New BB* team heads/td>	40	100%

Information Protection Diagnosis

Coway’s information protection diagnosis is divided into permanent, regular, and system diagnosis. Personal information stored in PCs and personal information handling system login records are regularly monitored. Considering the different work environment of each business site, information protection diagnosis is carried out on personal and shared office spaces in the headquarters and R&D center. Personal information management and technical/physical diagnoses are carried out in branch offices. Following the closing of the call center, the state of information protection was diagnosed, and measures were taken in response to the vulnerabilities identified at the site. In 2017, we will expand the subject and number of information protection diagnosis. This will further enhance Coway’s compliance with information protection regulations and processes, and strengthen information protection control.