Information Security
Protection of Core Technologies
POSCO, which possesses seven national core technologies, undergoes annual security management inspections by government agencies, continuously improving its security level.
Additionally, POSCO identifies key assets such as personnel, documents, facilities, and systems, and applies tailored protection measures for each asset.
Steel Value Chain Information Security
POSCO conducts various support activities for domestic business companies, overseas subsidiaries, and major partners with whom it shares information. These activities include annual information security level assessments,
security consulting, and employee security training, aimed at strengthening the overall security of the steel value chain.
Support for Comprehensive Security and Operational System Assessments
Inspection of Security System Operations and Penetration Testing Support
Support for Improving Security Management Capabilities and Fostering Security Experts
Information Security Support Activities
Prevention and Response to Cyber Security Incidents
The group integrated security control center, which operates 24/7 year-round, continuously collects and analyzes domestic and international hacking trends through an advanced monitoring system. It identifies, blocks, and mitigates potential cyber threats. To prepare for external cyber attacks.
POSCO conducts security risk assessments at each stage from system design to operation. Utilizing internal security specialists and external professional agencies, POSCO regularly performs penetration testing and other system penetration tests on main websites and business systems to identify and improve vulnerabilities.
POSCO conducts security risk assessments at each stage from system design to operation. Utilizing internal security specialists and external professional agencies, POSCO regularly performs penetration testing and other system penetration tests on main websites and business systems to identify and improve vulnerabilities.
Threat Detection and Response Process
-
Detection
- Detect threats using the integrated security control system and collected internal and external information -
Analysis
- Assess whether it is an attack and determine the extent of the damage
- Take preliminary action if necessary -
Dissemination
- Notify specific departments and the entire company, and request follow-up actions based on the analysis results -
Response
- Prevent the spread of the incident and take follow-up measures
- Analyze the cause and integrate findings into future policy improvements
POSCO has adopted the standards of the Korea Internet & Security Agency to establish a five-level internal threat alert system and has developed a ‘Cyber Crisis Response Manual.’ This manual outlines the response procedures and roles of related departments for each type of threat, ensuring immediate response to cyber security incidents and preventing the spread of damage.
POSCO Internal Threat Alert Levels
| Normal | General security threat situation with no impact on internal and external systems |
|---|---|
| Attention | Increased potential for internal threats due to external security issues |
| Caution | Situation that partially affects specific services and operations but can be resolved with appropriate actions |
| Alert | Situation that affects specific services and operations, with actions being delayed |
| Severe | Situation that severely affects critical services and operations, with persistent risks present |
Strengthening Employees’ Information Security Awareness
To enhance employees’ security awareness, POSCO periodically conducts information security campaigns, training, and inspection activities, encouraging employees to internalize security in their daily work. All employees are required to complete mandatory information security e-learning courses annually.
New employees, newly appointed executives and managers, and personnel involved with national core technologies receive role-specific differentiated information security training.
Additionally, POSCO operates an Information Security Reporting Center, enabling employees to report signs of hacking incidents, information leaks, and security vulnerabilities, as well as propose ideas for enhancing security. In 2023, a total of 30 reports were received and processed. Employees who contribute to information security activities, such as making security reports, receive appropriate rewards, while those found to have committed security violations face disciplinary action according to company regulations.
New employees, newly appointed executives and managers, and personnel involved with national core technologies receive role-specific differentiated information security training.
Additionally, POSCO operates an Information Security Reporting Center, enabling employees to report signs of hacking incidents, information leaks, and security vulnerabilities, as well as propose ideas for enhancing security. In 2023, a total of 30 reports were received and processed. Employees who contribute to information security activities, such as making security reports, receive appropriate rewards, while those found to have committed security violations face disciplinary action according to company regulations.
Information Security e-Learning Training Performance
