NHN has implemented an information protection policy framework tailored to each employee's role. We conduct assessments on a regular basis, at least once a year, to ensure compliance with the policy, evaluate its effectiveness and make necessary improvements. This comprehensive framework comprises a top-level policy statement, supplemented by guidelines for different roles and responsibilities. Additionally, detailed guidelines are also prepared to provide precise instructions for implementing the higher-level guidelines, offering stringent security measures to prevent any information leakage.
Information Security Governance
NHN has established an Information Security Committee comprised of key executives, including the CISO, CPO, and CIO, to discuss major changes in information security governance, including policies, and to make decisions. The dedicated information protection organization has enhanced its expertise and specialization by separating the IT security and information protection policy organizations and has established Information Protection Policy Committee to manage
NHN’s enterprise-wide information risks. The Committee is composed of key personnels from each information protection division encompassing information protection policy, IT security, and financial security. The committee is convened every other month to promptly discuss and respond to security issues that arise from time to time.
Information Security Certification
NHN has obtained certifications for information security system and service stability from domestic and foreign reputable certification organizations. We spare no effort to check, manage, and operate internal systems, such as receiving verification on the personal information and information security systems from specialized national agencies.
ISMS-P
The highest level of authoritative domestic certification system of informationsecurity and personal information security in South Korea
ISMS-P(Information Security and Personal Information Security Management System) is a certification system that awards a company who achieves a certain degree ofperformance in the systematic and persistent activities in terms of information securityand personal information security. NHN has been annually audited for its system ofinformation security and personal information security subject to the certification of ISMS(Information Security Management System) and PIMS (Personal Information SecurityManagement System), which were obtained in September 2013, and the recentlyintegrated certification of ISMS-P as of November 2019.
International Standard for Information Security and Privacy Management System and Privacy Framework
NHN has acquired international standard certificate ISO/IEC 27001, which is for
information security management system published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and international standard certificate ISO/IEC 27701 for the global privacy information management system. It meets global privacy requirements such as the EU GDPR.
NHN has also acquired ISO/IEC 29100 which is international standard certificate required
for establishing and operating global privacy framework.
Certified Service
NHN : The provision of entertainment, e-commerce, contentservice
and IoT(Internet of Things) services.
NHN Cloud : The provision of NHN cloud services for public,finance,
governmental and medical business services.
NHN Dooray! : The provision of collaboration service, groupware,
ERP(Enterprise resource planning), digital tax invoice services.
Valid Period
2024.06.17 ~ 2027.06.16
ISO/IEC 27017, 27018, 27799
International Standard for Cloud Service Information Security and Privacy,
Health Information Security
NHN has acquired international standard certificate ISO/IEC 27017 and ISO/IEC 27018, which is for information security and privacy security, specialized for cloud services, and ISO/IEC 27799, which is international standard certificate for health information security of cloud services.
Certified Service
NHN Cloud : The provision of NHN cloud services for public,finance, governmental and medical business services.
NHN Dooray! : The provision of collaboration service, groupware,
ERP(Enterprise resource planning),digital tax invoice services.
Valid Period
2024.06.17 ~ 2027.06.16
ISO/IEC 22301
International Standard for Business continuity management system
ISO/IEC 22301 is international standard certificate for Business continuity managementsystem. NHN Cloud has acquired ISO/IEC 22301, and audited for its business continuitymanagement for IaaS Services of NHN Cloud, which were obtained in July 2022.
Certified Service
NHN Cloud : The provision of NHN cloud services for public, finance, governmental and medical business services.
Information security management system evaluation and certification
forproviding safe cloud services to governmental
The Cloud Security Assurance Program is a program that reviews whether a service provided by a cloud service provider complies with the information security standards under Article 23 Paragraph 2 of the Cloud Computing Development and User ProtectionAct of Korea and grants certifications to companies that satisfy certain minimum standards. NHN Cloud Corporation acquired the certification for IaaS in December 2017, SaaS in December 2019, DaaS in September 2023 and has its cloud service security systems regularly certified through strict verification procedures every year.
IaaS Certified Service
NHN Cloud(for Public Institutions)
IaaS Valid Period
2022.12.13 ~ 2027.12.12
SaaS Certified Service
Dooray!
SaaS Valid Period
2019.12.18 ~ 2024.12.17
DaaS Certified Service
NHN Cloud Virtual Desktop (DasS)
DaaS Valid Period
2023.09.19 ~ 2028.09.18
CSA STAR
International Cloud Service Information Security Certification
by CSA(Cloud Security Aliance)
CSA STAR certification is an international cloud service information security certificationhosted by the US Cloud Security Alliance (CSA). It assesses the effectiveness andmaturity of security controls through the Cloud Control Matrix and grants a certificationcalled STAR (Security, Trust & Assurance, Registry). NHN Cloud has obtained the CSAStar Certification for IaaS, PaaS, and SaaS of NHN Cloud service and is certified formaintaining the maturity of Gold Level.
Certified Service
NHN Cloud : The provision of NHN cloud services for public, finance, governmental and medical business services.
NHN Dooray! : The provision of collaboration service, groupware,
ERP(Enterprise resource planning).
Valid Period
2022.07.12 ~ 2025.07.11
Personal Information Management System
Ensuring Self-control of Personal Information
NHN has established the 'NHN Privacy Policy' based on the personal information handling principles and users are encouraged to check the status of their personal information handling and how to exercise their rights as information subjects through the Privacy Policy. Users may view, edit, and delete their personal information in the Service, and can request access to, suspension of processing, and withdrawal of consent to their personal information by contacting the Customer Center. Personal information of minors under the age of 14 is handled with the consent of their legal representative, and the legal representative shall possess the right to exercise rights to the minor users’ personal information including access, modification, suspension of processing, and withdrawal of consent. NHN does not provide, rent, or sell personal information to any other third parties other than for business purposes such as transactions, service operation, or use of affiliate services.
Activities to Secure the Safety of Personal Information
NHN takes the following technical and administrative measures
to ensure the safety of users’ personal information to prevent from
being lost, stolen, leaked, altered, or damaged when processing the personal information.
01
Encrypting Personal InformationNHN encrypts personal information, such as passwords, in compliance with the standards required by law. NHN endeavors to take additional security measures to safeguard users’ personal information, such as encrypting data when storing important information such as emails and phone numbers, or transmitting files and other materials.
02
Access ControlWe restrict access to personal data except for authorized personal information handler and monitor data viewing and access history. In cases where access to internal system is required from outside, NHN adheres to a policy where the access is ensured only through
a dedicated VPN system for authorized employees.
03
Prevention of Forgery and AlterationNHN operates a process that performs real-time backups and detects forgery or alteration to prevent important information, such as personal information of its users, from being forged or altered by hacking or other attacks.
04
Privacy Review ActivitiesWe keep ourselves updated to the changes made to the systems that handles personal information once a week to ensure that the changes are immediately identified in order for the current safety measures are always applied to the personal information processing system. In addition, NHN and PAYCO conduct inspections of suppliers, including trustees and electronic financial service providers, twice a year, and check the status of personal (credit) information protection of trustees, including administrative and technical protection measures for personal information and the status of personal information collection, use, and destruction to prevent personal information leakage.
05
Prevention of InfiltrationNHN has put in place an infiltration prevention system to control unauthorized access and protect important information in the transmission section through encrypted communication. We use the latest antivirus program to prevent leakage or damage of important information such as personal information of users, and the antivirus program is updated and monitored on a daily basis.
Information Security Training
NHN conducts information protection training to raise the information security awareness among its employees and partners.
New hires are required to take information security training as part of their employment process and we provide training on
personal information protection to all types of employees, including contractors and temporary workers every year. New hires
serving technical position are also provided with developer security training so that information protection practices for safe
service development and operation are properly shared. We provide information protection training materials tailored to the
purpose of the service to not only employees but also partners, so that all employees and members have the ability to prevent
and respond to security incidents based on their understanding of information protection.