Policy
Information Security Policy
Information Security Principles
- POSCO recognizes information security as an integral part of its business activities and has established an information security management system to promptly respond to changes in the business environment.
- POSCO employees understand their responsibility for information security and continuously participate in training and education to enhance their expertise and improve the overall level of information security.
- POSCO employees integrate information security into their daily routines and embed information security activities as a fundamental part of the corporate culture.
- POSCO establishes a systematic information security organization with clearly defined roles and responsibilities.
- POSCO identifies security vulnerabilities and continuously manages them through established procedures.
Information Security Policy Operating Framework
POSCO, based on its information security principles, has established information security regulations and personal information protection regulations. The company has implemented an information security system that includes 12 detailed guidelines, such as document management guidelines and drawing management guidelines. These regulations and guidelines are revised annually, taking into account the latest laws, systems, and internal and external environments. The revisions are reviewed by the company-wide Information Security Committee and approved by top management. All employees can access these documents through the standard document management system.
Additionally, revisions are posted on the company portal system (EP) to ensure easy access for employees. The information security policy framework consists of four levels: principles, regulations, guidelines, and operational procedures. The information security regulations outline the operational standards for various information security activities, including policy, organization, change management, and security incident response, as well as specific areas like asset protection, personnel security, and document security. Moreover, sector-specific information security policies are established as subordinate guidelines under the information security regulations and are operated under the supervision of their respective implementing departments. POSCO has developed and implemented detailed standards for security management measures that cover the entire lifecycle of critical information, including documents, drawings, and system data. Additionally, through the personal information protection regulations, POSCO clearly defines the administrative and technical measures for protecting the personal information of customers and employees. Consent forms for the collection and use of personal information, as well as for third-party provision, are obtained from employees and customers to secure stakeholder consent. This effectively controls access to critical information and prevents unauthorized disclosure.
Since obtaining the international information security standard ISO 27001 certification in 2021, POSCO has maintained a global level information security management system through continuous follow-up audits. Additionally, POSCO conducts security consulting activities to enhance the security levels of its overseas subsidiaries, business companies, and partners, contributing to the security reinforcement and shared growth of the entire value chain, including customers and suppliers. Through these efforts, POSCO minimizes security-related risks and protects information assets by complying with regulatory requirements and relevant laws, thereby ensuring reliability and security.
- Establishment of Information Security Policy Annual revisions and review by the Information Security Committee
- Policy Implementation Operation and change management based on regulations and guidelines
-
Continuous Improvement of the Policy
Address deficiencies
Manage improvements and changes - Inspection of Policy Implementation Periodic inspections and monitoring
- Establishment of Information Security Policy Annual revisions and review by the Information Security Committee
- Policy Implementation Operation and change management based on regulations and guidelines
-
Continuous Improvement of the Policy
Address deficiencies
Manage improvements and changes - Inspection of Policy Implementation Periodic inspections and monitoring
Information Security Committee
Chairperson |
|
---|---|
Members |
|
Secretary |
|
Functions |
|