Policy
Information Security Policy
Information Security Principles
POSCO adheres to international information security standards and relevant laws both domestically and internationally. We strive to protect our information assets, including core technologies and personnel, which are the sources of our competitiveness, to secure and maintain global competitiveness. To this end, we have established fair and reasonable policies and standards for information security. All employees are committed to internalizing information security practices to ensure effective implementation and maintain the highest level of information security. To ensure effective implementation, we have set five strategic directions to guide the operation of our information security management system.
- POSCO recognizes information security as an integral part of its business activities and has established an information security management system to promptly respond to changes in the business environment.
- POSCO employees understand their responsibility for information security and continuously participate in training and education to enhance their expertise and improve the overall level of information security.
- POSCO employees integrate information security into their daily routines and embed information security activities as a fundamental part of the corporate culture.
- POSCO establishes a systematic information security organization with clearly defined roles and responsibilities.
- POSCO identifies security vulnerabilities and continuously manages them through established procedures.
Information Security Policy Operating Framework
POSCO, based on its information security principles, has established information security regulations and personal information protection regulations. The company has implemented an information security system that includes 12 detailed guidelines, such as document management guidelines and drawing management guidelines. These regulations and guidelines are revised annually, taking into account the latest laws, systems, and internal and external environments. The revisions are reviewed by the company-wide Information Security Committee and approved by top management. All employees can access these documents through the standard document management system.
Additionally, revisions are posted on the company portal system (EP) to ensure easy access for employees. The information security policy framework consists of four levels: principles, regulations, guidelines, and operational procedures. The information security regulations outline the operational standards for various information security activities, including policy, organization, change management, and security incident response, as well as specific areas like asset protection, personnel security, and document security. Moreover, sector-specific information security policies are established as subordinate guidelines under the information security regulations and are operated under the supervision of their respective implementing departments. POSCO has developed and implemented detailed standards for security management measures that cover the entire lifecycle of critical information, including documents, drawings, and system data. Additionally, through the personal information protection regulations, POSCO clearly defines the administrative and technical measures for protecting the personal information of customers and employees. Consent forms for the collection and use of personal information, as well as for third-party provision, are obtained from employees and customers to secure stakeholder consent. This effectively controls access to critical information and prevents unauthorized disclosure.
Since obtaining the international information security standard ISO 27001 certification in 2021, POSCO has maintained a global level information security management system through continuous follow-up audits. Additionally, POSCO conducts security consulting activities to enhance the security levels of its overseas subsidiaries, business companies, and partners, contributing to the security reinforcement and shared growth of the entire value chain, including customers and suppliers. Through these efforts, POSCO minimizes security-related risks and protects information assets by complying with regulatory requirements and relevant laws, thereby ensuring reliability and security.
-
Establishment
of Information Security Policy Annual revisions and review by the Information Security Committee - Policy Implementation Operation and change management based on regulations and guidelines
-
Continuous Improvement
of the Policy Address deficiencies
Manage improvements and changes -
Inspection
of Policy Implementation Periodic inspections and monitoring
Information Security Committee
POSCO appoints Information Security Officers and Personal Information Protection Officers who possess expertise. The Information Security Committee, overseeing information security and cybersecurity strategies, is chaired by the executive in charge of information security and meets annually. During these meetings, the company’s major information security activities are shared, and discussions are held on strategies, implementation directions, and policies. This approach allows POSCO to establish preventive and responsive measures for security threats and ensures prompt and proactive responses to security incidents.
Chairperson |
|
---|---|
Members |
|
Secretary |
|
Functions |
|