​

Chapter 1 General Provisions

1. Overview of Information Security

1.1 Purpose

This regulation establishes the foundation for the information protection activities of SolomonTech Co., Ltd. (hereafter referred to as 'the Company' or 'we'). The purpose is to protect employees and facilities of the Company from unauthorized actions and to safeguard the data processed, stored, and communicated by the information system from threats such as viruses and hacking. It aims to eliminate vulnerabilities and ensure the continuous management of the Company's information protection.

1.2 Scope of Application

This regulation applies to all organizations, employees, visitors, IT equipment, and related facilities of the Company.

1.3 Definitions of Terms

a) Administrative Security Refers to activities related to security organization setup and operations, management of security policies and procedures, security training, security checks, security audits, and security incident investigations.

b) CSO (Chief Security Officer) The executive assigned by the Company’s representative with authority over information protection. The CSO is responsible for establishing security policies, overseeing training, audits, and all security-related activities.

c) Physical Security Security activities aimed at protecting the Company’s facilities and personnel from unauthorized individuals, including access control, monitoring the entry and exit of information assets, and security surveillance.

d) Situational Monitoring Refers to activities involving real-time verification of safety, incidents, and security status using CCTV or security personnel within the workplace.

e) Technical Security Security activities focused on the protection of information systems and preventing information leakage through system management, access control, development, maintenance, and incident management.

f) Information System Includes hardware, peripheral devices, operating systems, and all system software and database management systems (DBMS) necessary to provide services to users.

g) Network Refers to communication networks, both wired and wireless, that connect systems in the Company or between related organizations for transmitting various types of information.

h) Backup The process of creating copies of information to minimize the risk of damage or loss of information services or assets due to unforeseen events and to enable recovery.

i) Recovery Refers to the process of restoring information or systems to a previous state using backups. It includes the recovery (RESTORE) and full system restoration (RECOVERY) processes, which must follow proper backups.

j) Terminal Devices End-user input/output devices in information systems, such as personal computers, printers, and scanners connected through LAN or WAN.

k) Information Security Incident (Breach) Refers to unauthorized destruction, leakage, or alteration of information and information systems, resulting in a violation of the security management system.

l) Webmail A method of sending emails using a web browser after logging in and out of a system.

m) VPN (Virtual Private Network) A technology or communication network that allows the construction of private networks over public networks, like the internet.

n) P2P (Peer to Peer) A technology and behavior for file sharing directly between individuals over the internet.

o) Web Hard/Web Folder Refers to information storage services that allow for the storing, moving, and sharing of various types of data via the internet, including uploading and downloading files.

p) DMZ (Demilitarized Zone) A network area created for servers or PCs that must be exposed to the external environment, such as a public-facing network, when configuring a firewall.

q) FTP (File Transfer Protocol) A protocol that supports the transmission of files between computers over the internet.

r) LAN (Local Area Network) A local communication network that connects various computers or OA devices within a limited geographic area, providing high-speed data transmission.

s) IP (Internet Protocol) Address A unique address assigned to identify a device on a network and efficiently direct traffic over the internet.

t) Public Network A communication network built by telecom companies for public access, such as the internet.

u) Private Network A network established by specific organizations, such as companies or schools, for internal use, typically not accessible from external networks without specific technologies like VPN.

1.4 Roles and Responsibilities

a) Employees

• Must comply with this regulation and related security policies and guidelines.

• Are required to attend security training and actively cooperate with the Company’s security activities, such as internal audits.

• When taking Company information assets off-site, they must follow the prescribed procedures and are prohibited from making independent decisions regarding such actions.

• Will be held accountable for security violations as follows:

  • If an employee violates security policies: the violator and their department/team manager.

  • If a visitor violates security policies: the employee who requested the visitor’s access.

b) Visitors

• Unauthorized use of video recording devices, such as cameras, is prohibited.

• Visitors are not allowed to acquire or use materials outside those provided by the Company.

• Must comply with any protective measures requested by the Company. If violated, the following responsibilities apply:

  • Visitors must follow the Company’s controls within restricted areas, and failure to do so may result in forced expulsion.

  • Unauthorized use or leakage of Company materials will result in civil and criminal liabilities.

​

​

Chapter 2: Administrative Security

2. Security Organization

2.1. Structure and Management of the Security Organization

a) The structure and management of the enterprise-wide security organization related to security tasks are overseen by the Human Resources and General Affairs Department (Team).

b) Procedures regarding the formation and operation of the security organization should be established and, after obtaining approval from the CSO, should be registered and managed.

c) Any matters not separately specified in section ‘2.4 Security Organization Task Division’ are managed by the Human Resources and General Affairs Department (Team).

2.2. Operation of Security Consultative Body

In order to decide on major security matters and ensure smooth policy delivery and implementation within lower organizational levels, a consultative body should be formed consisting of the CSO, security officers, and security managers, which should operate regularly.

2.3. Security Organizational Chart

An organizational chart, including the team, name, and contact details of responsible personnel, should be prepared and included within the regulations.

2.4. Security Organization Task Division (Responsibilities and Roles)

a) CSO

• The CSO is the CEO or an executive delegated by the CEO.

• As the overall security head, the CSO makes all decisions related to security policies.

• The CSO appoints the enterprise-wide security officer (responsible person).

• The CSO instructs the enterprise-wide security officer to plan and implement security tasks, managing and supervising the implementation.

b) Enterprise-Wide Security Officer (Responsible Person)

• Appointed by the CSO.

• Reports security activities to the CSO, implements them after approval, and oversees their execution.

• Establishes the company's security regulations and applies them through training and notifications.

• Regularly reviews the company’s security policy in response to changes in relevant laws and policies and adjusts security regulations accordingly.

• To raise security awareness, the officer should designate the 1st of each month for internal security checks or announcements.

• In case of a security incident, determines whether external investigation agencies should be involved and takes appropriate action.

• Conducts regular assessments of information assets to identify vulnerabilities and implement preventive measures.

• Approves the operating budget for information security activities.

• Holds at least biannual meetings with department security officers to disseminate security policies.

c) Department (Team) Security Officer

• Each department/team leader oversees, coordinates, and supervises security activities within their team.

• Reviews the security of corporate secrets and determines whether documents are classified as confidential.

• Conducts internal security checks within their department/team and ensures the proper functioning of security devices.

• Organizes security training for team members.

• Notifies the enterprise-wide security officer of any security incidents or potential risks within the department/team.

• Requests the establishment of protected areas when security-sensitive areas within the team require restricted access.

• Actively supports the implementation of company security policies.

• Handles security tasks related to facility monitoring and physical factors.

3. Security Agreement

3.1. Awareness of the Importance of Security and Legal Protection of Trade Secrets

a) Employees

• Employees must acknowledge the importance of information security upon joining the company and submit a 'Security Agreement' to the hiring manager. The agreement should specify the rules regarding confidentiality and related legal matters.

• Upon resignation, employees must submit a 'Resignation Security Agreement,' which describes the trade secrets they managed, the retention period, and their legal obligations.

b) Third Parties (General Service Contractors, Outsourcing Personnel)

• Contractors and external personnel must submit a 'Security Agreement' when hired.

• Standard contracts must be used, incorporating clauses to ensure compliance with the company’s security regulations.

• The submitted agreements serve as the legal basis for the company to hold these third parties accountable and conduct security inspections.

4. Security Training

4.1. The enterprise-wide security officer should provide annual security training for department/team security officers.

4.2. Upon hiring, the security officer must provide security rule training for new employees.

4.3. If changes are made to security policies, the security officer should inform and conduct training sessions for the department/team security officers.

4.4. The department/team security officers should provide training for their team members regarding any internal policy changes.

4.5. Additional security training can be conducted on an ad-hoc basis if deemed necessary due to security incidents.

5. Management of Resigning Employees

5.1. Resigning employees must not disclose any trade secrets acquired during their tenure; failure to comply will result in legal consequences as stipulated in the 'Resignation Security Agreement.'

5.2. The HR department or team security officers must include the 'Resignation Security Agreement' and 'Resignation Reason Statement' in the resignation documents.

5.3. The department/team security officers must provide sufficient training to departing employees to prevent any leaks of trade secrets.

5.4. Resigning employees must transfer all trade secrets to the relevant team, and any personal copies must be securely destroyed.

5.5. Upon resignation, all access rights to systems and facilities must be revoked.

5.6. Employees resigning to join another company must not use or disclose the company’s trade secrets.

5.7. When an employee's resignation is confirmed, the system administrators must be notified to revoke their access before departure.

6. Management of Security Violations

6.1. The responsible security department must develop and implement measures to prevent the recurrence of security violations.

a) In cases of violations of security regulations, the department head should immediately report the incident to the security department for review and appropriate disciplinary action.

b) Disciplinary actions should follow company policies regarding violations, as outlined in employment rules and regulations.

c) If the violation is considered minor, a warning from the Information Security Officer may be issued to the employee and their department head.

d) If the violation is deemed more serious, the department may be subject to impromptu security audits, and the violator may undergo additional security training.

e) Results of disciplinary actions may be communicated anonymously to all employees to enhance overall security awareness.

7. Information Asset Classification

7.1. Each team must classify its information assets and maintain a classification standard.

7.2. Information assets should be classified as General, Confidential, Secret, or Top Secret, based on their importance.

a) General: Information that is publicly available and can be freely shared. b) Confidential: Information that could cause temporary harm to the company if disclosed. c) Secret: Information that could cause significant damage or the need for substantial modifications to company business plans if disclosed. d) Top Secret: Information that could severely harm the company’s operations or survival if leaked.

7.3. The enterprise-wide security officer is responsible for managing a master list of classified information assets.

7.4. When creating information assets, the asset creator must notify the team security officer for registration.

7.5. Classified information assets should be labeled with identifiers such as asset numbers and the responsible manager's name.

8. Trade Secret Management

8.1. A ‘trade secret’ refers to information related to production methods, sales strategies, or other useful business-related technical or managerial information that is kept confidential.

8.2. Team members must actively participate in the protection of trade secrets by reporting any concerns regarding security documents to the team leader or security officer.

8.3. When employees change positions within the company, they must document the transfer of trade secrets, and security officers must oversee the adjustment of access rights.

8.4. Team leaders, after consulting with security managers, decide whether to disclose company trade secrets.

8.5. Trade secrets should be managed from creation to the final document phase and throughout any intermediate outputs.

8.6. Security documents should be labeled with their classification level, author, and creation date.

8.7. The retention period for security documents should be determined based on business continuity and the effectiveness of the documents.

8.8. Trade secrets should be stored in secured locations, and access should be limited to authorized personnel.

8.9. Trade secrets must be destroyed irreversibly using methods such as document shredders.

8.10. Trade secrets should not be left unattended in open spaces or public areas.

9. Compliance

9.1. Security policies and regulations must be reviewed and updated in response to changes in relevant laws.

9.2. Security policies should be updated when clients or partners change their own security requirements.

9.3. Any changes to policies should be communicated to all employees via formal notifications or postings, and additional training may be required.

9.4. Information systems must undergo regular vulnerability assessments to ensure security standards are met.

10. Security Inspections/Audits

10.1. The purpose of security audits is to minimize potential information security breaches and related damages by assessing the implementation of security controls.

10.2. Security audits must be conducted regularly under the supervision of the security management team.

10.3. The scope of security audits includes all employees and information assets.

10.4. The audited departments and individuals must cooperate fully with the inspection process.

10.5. Issues identified during audits must be addressed, and security department officers are responsible for monitoring the effectiveness of corrective actions.

10.6. If corrective actions are not sufficient, continuous requests for improvement can be made, and serious violations may result in disciplinary actions.

10.7. Audit reports must include recommendations and solutions for identified risks and be submitted to the head of security for documentation and action.

10.8. Irregular security assessments may be conducted if the head of security determines it necessary or if a potential security incident is identified.

10.9. Contracts with external companies should include clauses ensuring that security audits will be conducted to protect company information assets.

​

​

​

Chapter 3: Physical Security

11. Protection Zone Settings

11.1 Classification of Protection Zones

Protection zones are categorized based on their level of importance as follows: restricted areas and controlled areas.

• Restricted Area
  A region where the entry of outsiders is restricted to protect the company’s trade secrets and assets. All offices and production plants of the company are considered restricted areas, and entry is allowed only after approval by following the established procedures.

• Controlled Area
  A region where access by employees needs to be controlled to protect trade secrets. Unauthorized employees or photography are restricted from entering these areas.

11.2 Setting and Marking of Protection Zones

• The controlled areas should be set up by the company’s security officer, after consulting the department's security officer. After obtaining approval, it will be implemented.

• The signs should be placed in an easily visible location, such as at the top center of the entrance.

• The size of the sign should maintain a ratio of 2:1, with a minimum size of 20 cm (width) x 10 cm (height).

11.3 Access Control of Protection Zones

• Access Authorization

  • Employees are permitted to access their working area and restricted areas.

  • If access to a controlled area is required for work purposes, the department head's approval must be obtained, and the security officer will grant the necessary access permissions.

• Access Management

  • Controlled areas must be separated from general facilities.

  • If separation is not possible, additional security and surveillance measures must be implemented.

  • In controlled areas, access is restricted not only to outsiders but also to employees, except those authorized. An entry log should be maintained using a designated form.

  • External personnel permitted to enter controlled areas must comply with the supervision of the responsible manager. Failure to do so will result in forced exit or removal.

  • No visits (such as consultations or meetings) are allowed within controlled areas.

  • Activities within controlled areas can only take place under the approval of the security officer and must be under the supervision of authorized employees.

​

 

​

Chapter 4: Technical Security

12. End-User Security Guidelines

12.1 Purpose

The purpose is to provide requirements for the information technology protection of personal business equipment issued by the company, such as desktop PCs, laptops (hereinafter referred to as "PCs"), printers, scanners, etc., for work-related purposes.

12.2 Management Items

• Guidelines for the introduction, operation, and disposal of personal business equipment should be established.

• Personal business equipment should be set up with a login and screensaver password of at least 8 characters, mixing letters (both uppercase and lowercase), numbers, and special characters.

• For mobile equipment, CMOS and account login passwords should be doubled for enhanced security.

• Only company-issued programs for business use may be installed on PCs, and the responsibility for using illegal software lies with the individual.

• All PCs must have security systems, such as malware prevention solutions, installed. Users should configure their systems to update at least once a month.

• All PCs should have internal leakage prevention solutions installed to prevent internal data from leaking outside the company.

• If file sharing is necessary within a PC, a password-protected shared folder should be created to ensure that only authorized users can access it.

• A designated administrator must be assigned to manage public PCs, and security documents cannot be stored on public PCs.

• When using the internet, users must comply with the company’s security policies (such as access-blocking systems), and unauthorized networks should not be used.

• Security documents must not be transmitted via public networks (such as the internet). In exceptional cases, prior or subsequent approval from the administrator must be obtained.

• Users must not make any changes to the hardware or software provided by the company, and removable storage devices must only be used after going through the approval process.

• When using wireless LAN, the router access password should be at least 8 characters long, mixing letters and numbers.

• The reuse of passwords used in the last five sessions is prohibited.

​