Risk Management
This page provides information about our risk management procedures for ProtoPie Enterprise Cloud environments, including the identification and assessment of risks, and the implementation of controls to mitigate those risks.
We employ a comprehensive risk management methodology that includes the following steps:
- Identify - Identify the potential risks associated with the relevant category.
- Assess - Assess each identified risk in terms of potential impact, severity, and likelihood to help us understand the level of risk and prioritize our actions accordingly.
- Implement - Implement reactive measures to control and mitigate disruptions caused by these risks.
Risks Identification & Assessment
Service Outages Risks
To ensure uninterrupted service, we rely on AWS's world-class data centers, which are designed with robust security measures and redundancies to mitigate the risks of utility service outages, such as power failures and network disruptions.
Here are some key security measures implemented in AWS's data centers:
- Emergency Power Shutoffs: AWS's data centers have emergency power shutoffs located in easily accessible areas. These shutoffs are protected from unauthorized activation, ensuring that only authorized personnel can initiate emergency power procedures.
- Uninterruptible Power Supply (UPS): To seamlessly handle power source loss, AWS's data centers utilize short-term UPS systems. These systems provide temporary power to facilitate a smooth transition to alternate power sources, ensuring continuous operation of the information system.
- Water Leakage Protection: Measures are in place to protect the information system from damage caused by water leakage. AWS's data centers employ master shutoff or isolation valves that are easily accessible, properly functioning, and known to key personnel. These valves help prevent water-related incidents from impacting the system's integrity.
- Fire Suppression and Detection: AWS's data centers are equipped with fire suppression and detection devices/systems supported by independent energy sources. This ensures rapid response and effective containment in case of a fire emergency, minimizing potential damage to the infrastructure.
- Temperature and Humidity Control: Regular monitoring and maintenance of temperature and humidity levels are conducted in AWS's data centers. These measures ensure that the environmental conditions are kept within acceptable ranges to safeguard the equipment and maintain optimal performance.
High-Impact Environmental Risks
To ensure the safety and integrity of your data, we utilize data centers provided by AWS, strategically located in areas that offer world-class safety and resilience against environmental threats such as floods, tornadoes, earthquakes, and hurricanes.
Customers have the option to choose the geographical location where data are stored, although it’s primarily based on the location of the company that owns the data in compliance with the Data Process Agreement (DPA).
Threat Vectors Management
To effectively manage the main threat vectors for our service, we have implemented comprehensive measures:
- Continuous Monitoring: Our networks and systems are continuously monitored using advanced tools such as firewalls, and AWS Security Manager. We proactively review monitor logs to identify any suspicious activities or potential threats, allowing us to take prompt action and maintain a secure environment.
- Penetration Testing: To identify vulnerabilities and enhance our security measures, we conduct annual penetration tests. These tests help us identify potential weaknesses in our systems and applications, enabling us to address them proactively and fortify our defenses.
- ISO27001 and 27701 Audits: We undergo annual audits for ISO27001 and 27701 compliance. These audits ensure that we adhere to internationally recognized standards for information security management and privacy practices.
- Personal Information Protection: While we currently do not have specific cyber security insurance, we are committed to adhering to the guidelines set forth by the Personal Information Protection Act in Korea. As part of our efforts to mitigate risks associated with protecting personal information, we have subscribed to a personal information protection liability insurance policy provided by KB Insurance. This coverage helps mitigate potential risks associated with the protection of personal information.
Business Continuity
Business continuity is an integral part of our operations, ensuring that we have the capacity to sustain vital functions even in the event of a disaster. Our risk management practices and protocols are designed to prevent interruptions to essential services and enable a swift and seamless recovery, allowing us to restore full functionality as quickly as possible.
Business Continuity Planning (BCP)
We conduct a thorough BCP test once a year to evaluate the effectiveness of our plan and identify areas that may require improvement. This testing process allows us to assess our readiness in the event of a disruption or disaster and ensures that our organization can continue essential functions without major interruptions.
In addition to BCP testing, we also conduct regular tests of our backup and redundancy mechanisms. These tests, performed annually, are designed to verify the reliability and functionality of our backup systems.
By testing these mechanisms, we can confidently rely on them to restore data and services in case of any unforeseen incidents or system failures.
Contingency Plan Development
As part of our commitment to ensuring business continuity, we have developed a comprehensive contingency plan for our information system. This plan outlines the steps and procedures to be followed in the event of disruptions or incidents that may impact our operations. It serves as a roadmap for a swift recovery and helps us minimize the impact on our business and customers.
Our Business Continuity Planning and Disaster Recovery Procedures (DRP) are in place to mitigate risks and maintain the availability of critical services.
We prioritize the implementation of controls to ensure information security awareness among both our organization and third-party resources supporting our solution.
Security Awareness Training
Our employees and contractors undergo IT Security Awareness Training and Personal Information Training as part of their induction process. This training equips them with the necessary skills and knowledge to effectively respond to disruptions and ensure business continuity. It covers various crucial aspects such as:
- Importance of Security Awareness
- Protect Your Operation System & Internet Transaction
- Password Security
- Email Security & Best Practices
- Backup Important Information
- Mobile Security
- Physical Security
- Social Engineering
- How to manage the risks of removable media
- Cyber Incident Reporting
Training sessions for all system administrators who have access to our solution are performed annually to reinforce the knowledge and practices necessary to mitigate security risks effectively.
We also provide refresher training when required to keep our personnel prepared and up to date with the latest procedures and protocols.
Data Recovery
Our cloud solution is equipped with software and provider-independent capabilities for restoring and recovering data. We consistently evaluate and improve our practices to enhance our business recovery process.
For different levels of failure scenarios, we can commit to the following Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):
- Level 1 failure: RTO is within 6 hours, and RPO is under 6 hours.
- Level 2 failure: RTO is within 24 hours, and RPO is under 24 hours.
- Level 3 failure: RTO is within 48 hours, and RPO is less than 3 days.
Virtual Infrastructure Capabilities
Customers have the option to download and transfer virtual machine images to another cloud provider, although there may be certain limitations. However, replicating machine images to the customer's own off-site storage location is not permitted or supported. Additionally, we offer customers the capability to undo any changes or modifications made to the virtual machine, providing them with flexibility and control over their environment.