Social - Information Security

Social

Our Social Responsibility for a Sustainable Society

Information Security

Our information security policy aims to protect customers’ valuable personal data and confidential information, fulfill obligations under relevant laws, and safeguard our digital assets from internal and external threats.

Declaration of Information Security

Internal and external threats arising in our business landscape may exert material and negative impacts on Hanatour’s customer service and reputation. Information security and privacy protection have become critical elements of management today.

Therefore, all employees of Hanatour must do their best to ensure valuable information, including Hanatour’s digital assets and customers’ personal data, is kept confidential and strictly secured against potential threats such as data breaches and hacking to maintain stable and reliable customer services. We hereby establish and declare the information security and privacy regulations as follows.

We must safeguard Hanatour’s digital assets, including but not limited to the following:

1.Customers’ personal data and other sensitive information

2.Critical information generated and collected in the course of business

3.Information systems such as servers, networks, security systems and virtual resources, which constitute our business infrastructure

4.Applications in operation to provide services

5.Physical work environment required for Hanatour’s business operations.

We endeavor to achieve the following goals in our information security policy:

1.Customer information shall be secured as a top priority.

2.Digital assets shall not be used or disclosed for non-business purposes.

3.All digital assets shall be protected from unauthorized access and tampering.

4.Comply with all relevant laws and regulations.

To this end, Hanatour’s leadership will actively provide the necessary supportive resources as follows:

1.Provide the necessary budget, organization, and sufficient human resources for information security and privacy protection.

2.Provide sufficient education and training for information security and privacy protection.

3.Establish and support the implementation of specific guidelines and procedures necessary for information security and privacy protection.

4.Ensure and support the continuous implementation of information security and privacy protection.


All employees of Hanatour shall comply with the regulations and guidelines on information security and privacy protection in good faith and shall fulfill their duties and responsibilities to ensure that information security and privacy protection are maintained and further developed.

Song Mi-Sun, CEO

Information Security Framework

With a dedicated organization and system in place for systematic management, we are working together with stakeholders to build a security landscape against cyber and security threats. We strive to strengthen the security ecosystem to ensure that customers can enjoy our tourism services free of worries.

Operational Governance
CEO Management Planning IT Strategy Planning
Personal Data Protection
·Compliance with privacy laws
·Certification program for privacy protection
·Requirements for personal data lifecycles
·Security solution management for personal data processing systems
Information Security
·Information security framework
·Information security system
·Breach response, simulation and drills
·Information security audits
Management Framework
Administrative Procedures
Information security policies
Information security organizations
Digital asset management
Human security approaches
Internal inspections/audits
Information security training
Operation Improvement Continuous Management HNT Information Security Management Framework
Physical and Technical Measures
Restriction of access
System security
Verification and system privileges
Secure development
Encryption
Incident response and disaster recovery plan

Information Security System

Access to data is controlled through risk assessment and various actions based on information security regulations and guidelines and monitored under the 24-hour security alert system.

Risk Assessment for Information Security

We define and monitor major data leakage routes as major risk factors and implement proper management methods.

Information Security Activities
  • Information security certifications
  • Security newsletters
    Security campaigns
  • Identification of technical vulnerabilities and proactive implementation of response measures
  • Simulation and drills
    Employee trainings
  • Investment in new and innovative security technologies
External Authentication & Verification
  • Comply with the international data security standards that specify security requirements for all aspects of payment processing.
  • Obtain certifications of web-based good practices of administrative, technical, and physical measures.
  • Certify the adoption and implementation of a comprehensive management system including administrative, technical, and physical measures to ensure the safety and reliability of data and communication networks.

Mid- to Long-term Goals for Information Security

We aim to achieve mid- to long-term goals to create a safe and reliable security landscape where personal data is strictly secured and the security system is kept updated in line with the digital era.

  • 2025~2026
    Data leak prevention
    Enhancing the monitoring system
    Response to issues
    Zero issues
    Information security certifications
    Maintaining E-privacy certification Maintaining ISMS certification Maintaining PCI-DSS certification
    Security activities
    Enhancing protection activities Providing proper training programs to employees Legal compliance
  • 2027~2028
  • 2029~2030