Information Security

    Protection of Core Technologies

    POSCO, which possesses seven national core technologies, undergoes annual security management inspections by government agencies, continuously improving its security level. Additionally, POSCO identifies key assets such as personnel, documents, facilities, and systems, and applies tailored protection measures for each asset.
    Steel Value Chain Information Security
    POSCO conducts various support activities for domestic business companies, overseas subsidiaries, and major partners with whom it shares information. These activities include annual information security level assessments, security consulting, and employee security training, aimed at strengthening the overall security of the steel value chain.
    Information Security Support Activities

    • Support for Comprehensive Security and Operational System Assessments
    • Inspection of Security System Operations and Penetration Testing Support
    • Support for Improving Security Management Capabilities and Fostering Security Experts

    Prevention and Response to Cyber Security Incidents

    The group integrated security control center, which operates 24/7 year-round, continuously collects and analyzes domestic and international hacking trends through an advanced monitoring system. It identifies, blocks, and mitigates potential cyber threats. To prepare for external cyber attacks.
    POSCO conducts security risk assessments at each stage from system design to operation. Utilizing internal security specialists and external professional agencies, POSCO regularly performs penetration testing and other system penetration tests on main websites and business systems to identify and improve vulnerabilities.
    Threat Detection and Response Process

    1. Detection

      • Detect threats using the integrated security control system and collected internal and external information
    2. Analysis

      • Assess whether it is an attack and determine the extent of the damage
      • Take preliminary action if necessary
    3. Dissemination

      • Notify specific departments and the entire company, and request follow-up actions based on the analysis results
    4. Response

      • Prevent the spread of the incident and take follow-up measures
      • Analyze the cause and integrate findings into future policy improvements
    POSCO has adopted the standards of the Korea Internet & Security Agency to establish a five-level internal threat alert system and has developed a ‘Cyber Crisis Response Manual.’ This manual outlines the response procedures and roles of related departments for each type of threat, ensuring immediate response to cyber security incidents and preventing the spread of damage.
    POSCO Internal Threat Alert Levels

    1. Normal

      General security threat situation with no impact on internal and external systems
    2. Attention

      Increased potential for internal threats due to external security issues
    3. Caution

      Situation that partially affects specific services and operations but can be resolved with appropriate actions
    4. Alert

      Situation that affects specific services and operations, with actions being delayed
    5. Severe

      Situation that severely affects critical services and operations, with persistent risks present

    Strengthening Employees’ Information Security Awareness

    To enhance employees’ security awareness, POSCO periodically conducts information security campaigns, training, and inspection activities, encouraging employees to internalize security in their daily work. All employees are required to complete mandatory information security e-learning courses annually.
    New employees, newly appointed executives and managers, and personnel involved with national core technologies receive role-specific differentiated information security training.

    Additionally, POSCO operates an Information Security Reporting Center, enabling employees to report signs of hacking incidents, information leaks, and security vulnerabilities, as well as propose ideas for enhancing security. In 2023, a total of 30 reports were received and processed. Employees who contribute to information security activities, such as making security reports, receive appropriate rewards, while those found to have committed security violations face disciplinary action according to company regulations.

    Information Security e-Learning Training Performance
    Enrollment
    Completion
    | (Unit: people, %)