Pg 1 | Presentation Title Introduction to the PIMS Certification Scheme in Korea Presenter Heung Youl YOUM, PhD./Professor, TTA/Soonchunhyang University Session Strategic Topic #3: Security & Privacy Document Name/Version GSC20_Session#8_Security_HeungYoul_TTA Rev 0 Submission/Revision date: 20 April

Recent major data leakage incidents in Korea Pg 2 |

Cyber threats landscapes in Korea DDoS APT Destructive attacks Internet portals Personal data leakage Resident registration number Internet operators Pg 3 |

Recent major PII leakage incidents (1/3)  April 17, 2011, Personal Information leakage incident against the KR’s financial institute.  Personal information leakage of 420,000 customers, including their name, , and cell phone information, was caused by a hacking.  First unprecedented systematic accessing of customer financial information by hackers in Korea.  July 26, 2011, Major portal’s personal information leakage.  Personal information of its 35 million online users had been hacked.  A leakage of customers’ information took place due to hacking on July 26, 2011  Personal information of users’ name, phone numbers, , resident registration numbers and passwords was leaked. Pg 4 |

Recent major PII leakage incidents (2/3)  November 26, 2011, Personal information leakage against the online game site.  The personal data of 13.2 million subscribers was leaked from the online game site.  The password and the resident registration number are encrypted  Presumably, originated from a malicious code in China.  January 19, 2014, major credit card data leakage incidents.  Disclosed by the Korea Prosecutors’ Office on January 19, 2014  Victims: three local credit card companies, the K* Card, the L* Card and the N* Card  Who stole personal data: An employee of the subcontractor, suppliers of credit companies, who had been dispatched to upgrade the fraud detection systems of three credit card companies.  Volume of personal data leaked : 104 million pieces of cardholders’ personal and financial information. Pg 5 |

Recent major PII leakage incidents (3/3)  March 6, 2014, Personal data leakage against the Internet service operator’s website.  Personal data of 9.81 million customers leaked between last August 2013 and February 2014 in a hack on its website: the vulnerabilities of the operator’s web site were exploited to steal the personal data of customers.  Three suspects, including a telemarketer, were arrested for allegedly hacking into the company’s website and stealing the personal data of 9.81 million clients of the mobile carrier.  The leaked personal data included names, resident registration numbers, places of employment, and bank account details.  fined with 85 million won ($83,650) by the Korea Communications Commission (KCC) for personal data being leaked. Pg 6 |

ISMS/PIMS certification systems Pg 7 |

Overview of ISMS/PIMS certification  There are two types of management systems in Korea: ISMS and PIMS.  ISMS certification was put into force in 2001, while PIMS was put into force in  Legal grounds:  The ISMS and/PIMS are based on Article 47 (Certification of information security management system) in ‘Act on the Promotion of Information and Communication Network Utilization and Information Protection, etc.  Mandatory ISMS certification requirements for sizable enterprises, was enforced since  Local standards and criteria compatible with ISO/IEC  The ordinance of MSIP for ISMS certification and KCS for PIMS certification that aim to help organizations improve the safety and reliability of their information networks.  KCS.KO , Personal information management system Pg 8 |

ISMS Criteria Business Continuity Management Education and Training Asset Identification Classification Organization Security Policy Outsider Security Personnel Security Physical Security System Security Cryptographic control Access Control Operational Mgt. e-commerce Security Incident Handling Review/Monitoring/Audit Information Security Mgt. Process [Five process, 12 requirements] Countermeasures[13 areas,104 controls] ISMS Life Cycle Defining Scope Information Security Policy Risk Management Implementation Follow-up ISMS criteria (set forth in the Ordinance of MSIP and TTA standard) Pg 9 |

PIMS Criteria Technical protective measures Physical protective measures Collection Use and transfer Management and disposal Classification of personal information Education and training Personnel security Infiltration incident handling and response procedures Infiltration incident handling and response procedures Internal review and audit Privacy policy Privacy organization Policy makingScope setting Risk management ImplementationMaintenance Lifecycle of PIMS Protective measures PI Lifecycle Defines management process for personal information protection. Management process Defines managerial, technical and physical protection measures for PI. Technical and organizational Safeguards Technical and organizational Safeguards Defines privacy controls meeting legal requirements for each lifecycle stage, from generation to disposal of PI. PI lifecycle protection PIMS criteria (set forth in ordinance and KS standard) Criteria (Max. 86) Pg 10 |

ISMS/PIMS certification governance MSIP/KCC/MoI Upgrade laws and regulations & enforce policies Support budget for ISMS/PIMS Certification Authority Accept the application Develop certification criteria and guidelines Recruit certification assessors Issue/manage certificates Operate pools for the certification committee and certification assessors Offer technical advice Conduct follow-up assessment Certification Committee Approve the results of assessment Review the feasibility of the certification cancelled Consist of about 10 experts from the academia, institutes, law firms, etc Assessment Authority/Team Perform certification assessment Write report of assessment  To check if the ISMS/PIMS implemented by the enterprises comply with the criteria set forth in the ordinance. Pg 11 |

Certified organizations  As of April 2016, 410 organizations have obtained ISMS certification from KISA.  1(2002), 2(‘03), 1 (‘04), 3(‘05), 0(‘06), 5(‘07), 8(’08), 8(‘09), 8(’10), 5(‘11), 11(‘12), 118(‘13), 174(‘14), 52(‘15), 14(‘16) 60 organizations have got PIMS certification.  2(‘11), 7(’12), 11(‘13), 7(‘14), 14(‘15), 19(‘16)  The number of certified organizations for ISMS/PIMS is expected to increase in Pg 12 |

Ready for the global PIMS certification scheme Pg 13 |

WGs area in ISO/IEC JTC 1/SC 27 WG 5 Identity Management & Privacy Technologies WG 1 ISMS WG 4 Security Controls & Services WG 2 Cryptography & Security Mechanisms WG 3 Security Evaluation Product System ProcessEnvironment Techniques Guidelines Assessment Pg 14 |

Study Period on PIMS (JTC 1/SC 27)  The outcome of the joint WG1/WG5 Study Period on PIMS agreed at its Rome October 2012 SC27 meeting :  not to develop a privacy specific management system, but to use the ISO/IEC information security management, even in the privacy specific context;  to develop a standard (ISO/IEC 27009) that explains how to create and use specific standards in the ISO/IEC framework (including privacy, cloud computing, telecom...) for certification purposes;  to develop a standard (ISO/IEC 29151) that provides a set of PII protection controls for the only PII controllers. Pg 15 |

ISO/IEC (from ISO/IEC DIS 27009) Pg 16 |

ISO/IEC DIS Additional PII-specific implementing guidance  Security policy  Organization of information security  Human resources security  Physical and environmental security  Communications and operations management  Access control  Information systems acquisition, development and maintenance  Reporting security weaknesses  Business continuity management  Compliance ITU-T X.gpim | ISO/IEC Controls for :  Security policy  Organization of information security  Human resources security  Physical and environmental security  Communications and operations management  Access control  Information systems acquisition, development and maintenance  Reporting security weaknesses  Business continuity management  Compliance ISO/IEC Annex A: An extended set of PII-specific controls meeting the ISO/IEC principles:  Consent and choice  Purpose legitimacy and specification  Collection limitations  Data minimization  Accuracy and quality  Openness, transparency and notice  Individual participation and access  Accountability  Information security  Privacy compliance Pg 17 |

Global PIMS certification (proposed) ISO/IEC (Security controls ) ISO/IEC (Requirements for MS) NWIP (at April 2016 SC27 meeting) (Additional requirements for Privacy specific MS) ISO/IEC DIS (PII protection controls) ISO/IEC (Requirements for MS) ISO/IEC (Security controls) PIMS ISMS Security risk treatment Security + privacy risks treatment Pg 18 |

Concluding remark Pg 19 |

Concluding remark  Challenges for PII protection  Data leakage incidents are growing.  Increasing need for data transfer across the borders.  Need to provide confidence of level of PII protection of the organizations who wish to receive data transferred across the border.  Comprehensive solution: the PIMS certification.  International standards for the global PIMS certification ready by April  ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO/IEC 27009:2016  ITU-T X.gpim | ISO/IEC DIS (April, 2016)  NWIP for additional requirement for PIMS (agreed NWIP at April 2016 Tampa SC27 meeting) Pg 20 |

Thank you very much. hyyoum at sch.ac.kr Pg 21 |