This section introduces our risk management process and provides information on risk identification, assessment, and the implementation of controls to mitigate those risks.
We apply a comprehensive risk management methodology consisting of the following steps.
Identify
Identify potential risks associated with the relevant categories.
Assess
Evaluate each identified risk in terms of its potential impact, severity, and likelihood to understand the level of risk and prioritize actions accordingly.
Implement
Implement follow-up measures to control and mitigate disruptions caused by these risks.
To ensure uninterrupted service, we use AWS's global data centers, which apply robust security measures and a redundant design to mitigate the risk of utility service disruptions such as power and network outages.
Some of the key security measures implemented in AWS data centers include:
Emergency power cutoff
AWS data centers are equipped with emergency power cutoff devices in easily accessible areas. These devices are protected from unauthorized activation, ensuring that only authorized personnel can initiate emergency power procedures.
Uninterruptible power supply (UPS)
To respond smoothly to power supply interruptions, AWS data centers use short-term UPS systems. These systems provide temporary power to enable a seamless transition to backup power, ensuring continuous operation of information systems.
Leak prevention
Measures are in place to prevent damage to information systems caused by leaks. AWS data centers use main shutoff or isolation valves that are easily accessible, fully functional, and well known to key personnel. These valves help prevent water-related incidents from affecting system integrity.
Fire suppression and detection
AWS data centers are equipped with fire suppression and detection equipment and systems supported by independent energy sources. This enables a rapid and effective response in the event of a fire emergency, minimizing potential damage to the infrastructure.
Temperature and humidity control
AWS data centers carry out regular monitoring and maintenance of temperature and humidity levels. These measures keep environmental conditions within acceptable ranges to protect equipment and maintain optimal performance.
To ensure the safety and integrity of your data, we use AWS data centers strategically located in regions that offer world-class safety and resilience against environmental threats such as floods, tornadoes, earthquakes, and hurricanes.
Under the Data Processing Agreement (DPA), customers have the option to choose the geographic location where their data is stored, based on the location of the company that owns the data.
To effectively manage the main threat vectors to our service, we have implemented the following comprehensive measures:
Continuous monitoring
Our network and systems are continuously monitored using advanced tools such as firewalls and AWS Security Manager. We proactively review monitoring logs to identify suspicious activity or potential threats, allowing us to take swift action and maintain a secure environment.
Penetration testing
We conduct penetration testing annually to identify vulnerabilities and strengthen security measures. These tests help identify potential weaknesses in systems and applications, enabling us to respond proactively and reinforce our defenses.
ISO 27001 and 27701 audits
We undergo annual audits for compliance with ISO 27001 and 27701. These audits confirm that we adhere to internationally recognized standards for information security management and privacy practices.
Privacy protection
We do not currently hold a separate cybersecurity insurance policy, but we strictly comply with the guidelines of Korea's Personal Information Protection Act. As part of our efforts to mitigate privacy-related risks, we have taken out privacy liability insurance with KB Insurance. This coverage helps mitigate potential privacy-related risks.
Business continuity is an essential part of our operations, ensuring our ability to maintain essential functions even in the event of a disaster. Our risk management practices and protocols are designed to prevent disruptions to critical services and to enable rapid, seamless recovery so that all functions can be fully restored as quickly as possible.
We conduct thorough BCP testing once a year to evaluate the plan's effectiveness and identify areas for improvement. This testing process assesses our readiness in the event of a failure or disaster and ensures that the organization can continue to perform essential functions without major disruption.
In addition to BCP testing, we perform regular testing of our backup and redundancy mechanisms. Conducted annually, this testing is designed to verify the reliability and functionality of our backup systems.
By testing these mechanisms, we can trust and rely on them to recover data and services in the event of unexpected incidents or system failures.
As part of our efforts to ensure business continuity, we have established a comprehensive contingency plan for our information systems. This plan outlines the steps and procedures to follow in the event of a disruption or incident that could affect operations. It serves as a roadmap for rapid recovery and helps minimize the impact on us and our customers.
Our business continuity plan and disaster recovery procedures (DRP) are in place to mitigate risks and maintain the availability of critical services.
We prioritize implementing controls to raise information security awareness across both our organization and the third-party resources that support our solutions.
Our employees and contractors complete IT security awareness training and privacy training as part of the onboarding process. This training equips them with the skills and knowledge needed to respond effectively to failures and ensure business continuity. The training covers a range of essential topics, including:
The importance of security awareness
Protecting the operating system and web transactions
Password security
Email security and best practices
Backing up critical information
Mobile security
Physical security
Social engineering
How to manage the risks of removable media
Reporting cybersecurity incidents
To reinforce the knowledge and practices needed to effectively mitigate security risks, training is conducted annually for all system administrators who have access to our solutions.
We also provide refresher training as needed so that employees stay informed and prepared with the latest procedures and protocols.
Our cloud solution provides software- and provider-independent capabilities for data restoration and recovery. We continuously evaluate and refine our practices to improve the business recovery process.