0003437
Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016
The National Assembly of the Republic of Korea
Regulation or Statute
Free
Act On Promotion of Information and Communications Network Utilization and Information Protection
Act On Promotion of Information and Communications Network Utilization and Information Protection
Varies
The document as a whole was last reviewed and released on 2022-04-12T00:00:00-0700.
0003437
Free
The National Assembly of the Republic of Korea
Regulation or Statute
Act On Promotion of Information and Communications Network Utilization and Information Protection
Act On Promotion of Information and Communications Network Utilization and Information Protection
Varies
The document as a whole was last reviewed and released on 2022-04-12T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)] | Technical Security | Preventive | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Business Processes | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 | Business Processes | Preventive | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Communicate | Preventive | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Business Processes | Preventive | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Business Processes | Preventive | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Business Processes | Preventive | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Establish/Maintain Documentation | Preventive | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Business Processes | Preventive | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Configuration | Preventive | |
Protect the integrity of application service transactions. CC ID 12017 | Business Processes | Preventive | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Data and Information Management | Preventive | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Business Processes | Preventive | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Communicate | Preventive | |
Bill and settle electronic commerce transactions. CC ID 08622 | Business Processes | Preventive | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Data and Information Management | Preventive | |
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Business Processes | Corrective | |
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Business Processes | Preventive | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)] | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Establish/Maintain Documentation | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)] | Establish Roles | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)] | Establish Roles | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)] | Establish Roles | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Establish/Maintain Documentation | Preventive | |
Categorize the gender of all employees. CC ID 15609 | Human Resources Management | Preventive | |
Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources Management | Preventive | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources Management | Preventive | |
Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources Management | Preventive | |
Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources Management | Preventive | |
Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources Management | Preventive | |
Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources Management | Preventive | |
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources Management | Preventive | |
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources Management | Preventive | |
Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources Management | Preventive | |
Include background check results in each employee's personnel file. CC ID 12439 | Human Resources Management | Preventive | |
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources Management | Preventive | |
Require all new hires to sign the Code of Conduct. CC ID 06665 | Establish/Maintain Documentation | Preventive | |
Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Establish/Maintain Documentation | Preventive | |
Require new hires to sign nondisclosure agreements. CC ID 06668 | Establish/Maintain Documentation | Preventive | |
Train all new hires, as necessary. CC ID 06673 | Behavior | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personnel security policy. CC ID 14025 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the personnel security policy. CC ID 14154 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the personnel security policy. CC ID 14114 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the personnel security policy. CC ID 14113 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the personnel security policy. CC ID 14112 | Establish/Maintain Documentation | Preventive | |
Include the scope in the personnel security policy. CC ID 14111 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the personnel security policy. CC ID 14110 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personnel security procedures. CC ID 14058 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Communicate | Preventive | |
Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources Management | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Technical Security | Corrective | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Technical Security | Corrective | |
Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources Management | Preventive | |
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Data and Information Management | Corrective | |
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources Management | Preventive | |
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Behavior | Preventive | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Communicate | Preventive | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources Management | Preventive | |
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources Management | Corrective | |
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Behavior | Preventive | |
Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources Management | Preventive | |
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Establish/Maintain Documentation | Preventive | |
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources Management | Detective | |
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Behavior | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Behavior | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Behavior | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
Document all training in a training record. CC ID 01423 | Establish/Maintain Documentation | Detective | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
Conduct tests and evaluate training. CC ID 06672 | Testing | Detective | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources Management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Training | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Training | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Establish/Maintain Documentation | Preventive | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Establish/Maintain Documentation | Preventive | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Behavior | Preventive | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Establish/Maintain Documentation | Preventive | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Establish/Maintain Documentation | Preventive | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 | Establish/Maintain Documentation | Preventive | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Establish/Maintain Documentation | Preventive | |
Include organizational values in the Code of Conduct. CC ID 12919 | Process or Activity | Preventive | |
Include key policies in the Code of Conduct. CC ID 12890 | Establish/Maintain Documentation | Preventive | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Establish/Maintain Documentation | Preventive | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Establish/Maintain Documentation | Preventive | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Establish/Maintain Documentation | Preventive | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources Management | Preventive | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Establish/Maintain Documentation | Preventive | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Establish/Maintain Documentation | Preventive | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Establish/Maintain Documentation | Preventive | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Establish/Maintain Documentation | Preventive | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Establish/Maintain Documentation | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 | Behavior | Corrective | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Communicate | Preventive | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Establish/Maintain Documentation | Detective | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Establish/Maintain Documentation | Preventive | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Establish/Maintain Documentation | Preventive | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Establish/Maintain Documentation | Preventive | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Behavior | Preventive | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Establish/Maintain Documentation | Preventive | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources Management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)] | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)] | Communicate | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Communicate | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)] | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)] | Configuration | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Testing | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)] | Establish/Maintain Documentation | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)] | Process or Activity | Corrective | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Monitor and Evaluate Occurrences | Detective | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)] | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Include purchasing insurance in the continuity plan. CC ID 00762 | Establish/Maintain Documentation | Preventive | |
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)] | Acquisition/Sale of Assets or Services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)] | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Business Processes | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)] | Establish/Maintain Documentation | Preventive | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Communicate | Preventive | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Communicate | Preventive | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Communicate | Preventive | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Communicate | Preventive | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Communicate | Preventive | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Communicate | Preventive | |
Include a service management plan in the service management program. CC ID 13902 | Establish/Maintain Documentation | Preventive | |
Include the information security policy in the service management program. CC ID 13925 | Establish/Maintain Documentation | Preventive | |
Include the change management policy in the service management program. CC ID 13923 | Establish/Maintain Documentation | Preventive | |
Include the service management objectives in the service management program. CC ID 11389 | Establish/Maintain Documentation | Preventive | |
Include the service requirements in the service management program. CC ID 11390 | Establish/Maintain Documentation | Preventive | |
Include known limitations in the service management program. CC ID 11391 | Establish/Maintain Documentation | Preventive | |
Include service management policies in the service management program. CC ID 11392 | Establish/Maintain Documentation | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 | Establish/Maintain Documentation | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 | Establish/Maintain Documentation | Preventive | |
Include supply chain management procedures in the service management program. CC ID 11395 | Establish/Maintain Documentation | Preventive | |
Include service management procedures in the service management program. CC ID 11396 | Establish/Maintain Documentation | Preventive | |
Include risk procedures in the service management program. CC ID 11397 | Establish/Maintain Documentation | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 | Establish/Maintain Documentation | Preventive | |
Include all technologies used to support service management in the service management program. CC ID 11398 | Establish/Maintain Documentation | Preventive | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)] | Communicate | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)] | Process or Activity | Corrective | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Behavior | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Establish/Maintain Documentation | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)] | Establish/Maintain Documentation | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)] | Establish/Maintain Documentation | Preventive | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Communicate | Preventive | |
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Communicate | Preventive | |
Use simple understandable language when providing customer security advice. CC ID 13685 | Communicate | Preventive | |
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Communicate | Preventive | |
Display customer security advice prominently. CC ID 13667 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)] | Establish/Maintain Documentation | Preventive | |
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Establish/Maintain Documentation | Preventive | |
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Establish/Maintain Documentation | Preventive | |
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Establish/Maintain Documentation | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)] | Establish/Maintain Documentation | Preventive | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)] | Establish/Maintain Documentation | Preventive | |
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Business Processes | Detective | |
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Establish/Maintain Documentation | Preventive | |
Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
Include addressing information sharing in the incident response plan. CC ID 13349 | Establish/Maintain Documentation | Preventive | |
Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)] | Behavior | Preventive | |
Manage the creation of products and services, as necessary. CC ID 13497 | Business Processes | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)] | Process or Activity | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)] | Establish/Maintain Documentation | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Process or Activity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)] | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Establish/Maintain Documentation | Preventive | |
Include the processing purpose in the privacy notice. CC ID 16543 | Establish/Maintain Documentation | Preventive | |
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)] | Establish/Maintain Documentation | Preventive | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Establish/Maintain Documentation | Preventive | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Establish/Maintain Documentation | Preventive | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Establish/Maintain Documentation | Preventive | |
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Establish/Maintain Documentation | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 | Establish/Maintain Documentation | Preventive | |
Include disclosure exceptions in the privacy notice. CC ID 13447 | Establish/Maintain Documentation | Preventive | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Establish/Maintain Documentation | Preventive | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
Specify the time frame that notice will be given. CC ID 00385 | Establish/Maintain Documentation | Preventive | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)] | Establish/Maintain Documentation | Preventive | |
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Establish/Maintain Documentation | Preventive | |
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Communicate | Preventive | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Communicate | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
Update privacy notices, as necessary. CC ID 13474 | Communicate | Preventive | |
Redeliver privacy notices, as necessary. CC ID 14850 | Communicate | Preventive | |
Deliver privacy notices to third parties, as necessary. CC ID 13473 | Communicate | Preventive | |
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Communicate | Preventive | |
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Establish/Maintain Documentation | Corrective | |
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Establish/Maintain Documentation | Preventive | |
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Establish/Maintain Documentation | Preventive | |
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Establish/Maintain Documentation | Preventive | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
Deliver opt-out notices, as necessary. CC ID 13449 | Communicate | Preventive | |
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Communicate | Preventive | |
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Communicate | Preventive | |
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Communicate | Preventive | |
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Communicate | Preventive | |
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Data and Information Management | Preventive | |
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Communicate | Preventive | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Communicate | Preventive | |
Provide the data subject with a notice of participation procedures. CC ID 06241 | Establish/Maintain Documentation | Preventive | |
Deliver notices to the intended parties. CC ID 06240 | Data and Information Management | Preventive | |
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)] | Communicate | Preventive | |
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Communicate | Preventive | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Process or Activity | Detective | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Communicate | Preventive | |
Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)] | Behavior | Preventive | |
Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Process or Activity | Preventive | |
Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Behavior | Preventive | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Behavior | Preventive | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
Disclose educational data, as necessary. CC ID 00223 | Data and Information Management | Preventive | |
Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)] | Communicate | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)] | Process or Activity | Preventive | |
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Process or Activity | Preventive | |
Provide the data subject with the adequacy decision. CC ID 12586 | Process or Activity | Preventive | |
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Process or Activity | Preventive | |
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Data and Information Management | Preventive | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)] | Data and Information Management | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)] | Establish/Maintain Documentation | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)] | Establish/Maintain Documentation | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Data and Information Management | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Communicate | Preventive | |
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Establish/Maintain Documentation | Preventive | |
Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Process or Activity | Preventive | |
Make telephone directory information available to the public. CC ID 08698 | Establish/Maintain Documentation | Preventive | |
Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Technical Security | Preventive | |
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Process or Activity | Preventive | |
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Establish/Maintain Documentation | Preventive | |
Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)] | Behavior | Preventive | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
Define what is included in the privacy policy. CC ID 00404 | Establish/Maintain Documentation | Preventive | |
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Establish/Maintain Documentation | Preventive | |
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Establish/Maintain Documentation | Preventive | |
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Establish/Maintain Documentation | Corrective | |
Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Establish/Maintain Documentation | Corrective | |
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Establish/Maintain Documentation | Preventive | |
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Establish/Maintain Documentation | Preventive | |
Include a complaint form in the privacy policy. CC ID 12364 | Establish/Maintain Documentation | Preventive | |
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Establish/Maintain Documentation | Preventive | |
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Establish/Maintain Documentation | Preventive | |
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Establish/Maintain Documentation | Preventive | |
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Establish/Maintain Documentation | Preventive | |
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Establish/Maintain Documentation | Preventive | |
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Establish/Maintain Documentation | Preventive | |
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Establish/Maintain Documentation | Preventive | |
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)] | Establish/Maintain Documentation | Preventive | |
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Establish/Maintain Documentation | Preventive | |
Post the privacy policy in an easily seen location. CC ID 00401 | Establish/Maintain Documentation | Preventive | |
Define who will receive the privacy policy. CC ID 00402 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Communicate | Preventive | |
Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
Approve the privacy plan. CC ID 14700 | Business Processes | Preventive | |
Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a privacy report. CC ID 14754 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Communicate | Preventive | |
Protect private communications in keeping with compliance requirements. CC ID 14334 | Business Processes | Preventive | |
Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Human Resources Management | Preventive | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)] | Business Processes | Preventive | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)] | Establish/Maintain Documentation | Preventive | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Establish/Maintain Documentation | Preventive | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)] | Data and Information Management | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Business Processes | Preventive | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Data and Information Management | Preventive | |
Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Data and Information Management | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Human Resources Management | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)] | Behavior | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Cooperate with Data Protection Authorities. CC ID 06870 | Data and Information Management | Preventive | |
Submit a safe harbor self-certification letter. CC ID 06871 | Establish/Maintain Documentation | Preventive | |
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Human Resources Management | Preventive | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Establish/Maintain Documentation | Preventive | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
Notify the data controller of any changes in data processors. CC ID 12648 | Communicate | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)] | Establish/Maintain Documentation | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Establish/Maintain Documentation | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Behavior | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Behavior | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)] | Behavior | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)] | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)] | Communicate | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Establish/Maintain Documentation | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Data and Information Management | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)] | Behavior | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Establish/Maintain Documentation | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Data and Information Management | Preventive | |
Disclose de-identified data, as necessary. CC ID 13034 | Communicate | Preventive | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 | Behavior | Preventive | |
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Records Management | Preventive | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Establish Roles | Preventive | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Data and Information Management | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)] | Data and Information Management | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Business Processes | Preventive | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)] | Communicate | Corrective | |
Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Data and Information Management | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Data and Information Management | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Data and Information Management | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Data and Information Management | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Data and Information Management | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Behavior | Preventive | |
Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Communicate | Corrective | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Records Management | Preventive | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Data and Information Management | Preventive | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Data and Information Management | Detective | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Establish/Maintain Documentation | Preventive | |
Define how a data subject may give consent. CC ID 00160 | Establish/Maintain Documentation | Preventive | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)] | Communicate | Preventive | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Data and Information Management | Preventive | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Data and Information Management | Preventive | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Data and Information Management | Preventive | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Data and Information Management | Preventive | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
Disclose personal data absent consent to create a credit report. CC ID 15297 | Data and Information Management | Preventive | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Data and Information Management | Preventive | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Data and Information Management | Preventive | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Data and Information Management | Preventive | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Data and Information Management | Preventive | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Data and Information Management | Preventive | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Data and Information Management | Preventive | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Data and Information Management | Preventive | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Data and Information Management | Preventive | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Data and Information Management | Preventive | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Data and Information Management | Preventive | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Data and Information Management | Preventive | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Data and Information Management | Preventive | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Data and Information Management | Preventive | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)] | Establish/Maintain Documentation | Preventive | |
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Communicate | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Records Management | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Data and Information Management | Preventive | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Data and Information Management | Preventive | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)] | Data and Information Management | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Data and Information Management | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Data and Information Management | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)] | Data and Information Management | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
Include cookie management in the privacy framework. CC ID 13809 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cookie management procedures. CC ID 13810 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)] | Data and Information Management | Preventive | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
Use personal data for specified purposes. CC ID 11831 | Data and Information Management | Preventive | |
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Data and Information Management | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Data and Information Management | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Data and Information Management | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Data and Information Management | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Data and Information Management | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)] | Data and Information Management | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)] | Data and Information Management | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Technical Security | Preventive | |
Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Data and Information Management | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Process or Activity | Corrective | |
Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Data and Information Management | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Data and Information Management | Preventive | |
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Business Processes | Preventive | |
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Behavior | Preventive | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Establish/Maintain Documentation | Preventive | |
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Communicate | Preventive | |
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)] | Data and Information Management | Preventive | |
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Data and Information Management | Preventive | |
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
Follow the instructions of the data transferrer. CC ID 00334 | Behavior | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)] | Data and Information Management | Preventive | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Data and Information Management | Preventive | |
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Business Processes | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Communicate | Preventive | |
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Establish/Maintain Documentation | Preventive | |
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Data and Information Management | Preventive | |
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Data and Information Management | Preventive | |
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Process or Activity | Preventive | |
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Process or Activity | Preventive | |
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Process or Activity | Preventive | |
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Data and Information Management | Preventive | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Establish/Maintain Documentation | Preventive | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
Review compliance with the organization's privacy objectives. CC ID 13490 | Human Resources Management | Detective | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)] | Data and Information Management | Preventive | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Data and Information Management | Corrective | |
File privacy rights violation complaints in writing. CC ID 00477 | Establish/Maintain Documentation | Corrective | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Behavior | Corrective | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Data and Information Management | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Behavior | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Establish/Maintain Documentation | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Establish/Maintain Documentation | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Establish/Maintain Documentation | Preventive | |
Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Data and Information Management | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Behavior | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Behavior | Corrective | |
Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Establish/Maintain Documentation | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Data and Information Management | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Behavior | Detective | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)] | Behavior | Preventive | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Establish/Maintain Documentation | Corrective | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Establish/Maintain Documentation | Detective | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)] | Behavior | Corrective | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Data and Information Management | Corrective | |
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)] | Establish/Maintain Documentation | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 | Establish/Maintain Documentation | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Behavior | Preventive | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Testing | Detective | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 | Establish/Maintain Documentation | Preventive | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)] | Communicate | Preventive | |
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)] | Business Processes | Preventive | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)] | Behavior | Preventive | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)] | Behavior | Preventive | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Establish/Maintain Documentation | Preventive | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)] | Behavior | Preventive | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Behavior | Preventive | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)] | Data and Information Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)] | Testing | Detective | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)] | Records Management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Establish Roles | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
Establish, implement, and maintain an authenticator standard. CC ID 01702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an authenticator management system. CC ID 12031 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)] | Establish/Maintain Documentation | Preventive | |
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | Technical Security | Preventive | |
Configure authenticators to comply with organizational standards. CC ID 06412 | Configuration | Preventive | |
Configure the system to require new users to change their authenticator on first use. CC ID 05268 | Configuration | Preventive | |
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | Configuration | Preventive | |
Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
Configure the system to prevent unencrypted authenticator use. CC ID 04457 | Configuration | Preventive | |
Disable store passwords using reversible encryption. CC ID 01708 | Configuration | Preventive | |
Configure the system to encrypt authenticators. CC ID 06735 | Configuration | Preventive | |
Configure the system to mask authenticators. CC ID 02037 | Configuration | Preventive | |
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | Configuration | Preventive | |
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | Establish/Maintain Documentation | Preventive | |
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | Establish/Maintain Documentation | Preventive | |
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | Configuration | Preventive | |
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | Establish/Maintain Documentation | Preventive | |
Disable machine account password changes. CC ID 01737 | Configuration | Preventive | |
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | Establish/Maintain Documentation | Preventive | |
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | Establish/Maintain Documentation | Preventive | |
Configure the "password reuse" setting to organizational standards. CC ID 08724 | Establish/Maintain Documentation | Preventive | |
Configure the "Disable Remember Password" setting. CC ID 05270 | Configuration | Preventive | |
Configure the "Minimum password age" to organizational standards. CC ID 01703 | Configuration | Preventive | |
Configure the LILO/GRUB password. CC ID 01576 | Configuration | Preventive | |
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | Configuration | Preventive | |
Change the default password to Apple's Keychain. CC ID 04482 | Configuration | Preventive | |
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | Configuration | Preventive | |
Configure the Syskey Encryption Key and associated password. CC ID 05978 | Configuration | Preventive | |
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | Configuration | Preventive | |
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | Configuration | Preventive | |
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | Configuration | Preventive | |
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | Configuration | Preventive | |
Configure the "Send LanMan compatible password" setting. CC ID 05271 | Configuration | Preventive | |
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | Configuration | Preventive | |
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | Configuration | Preventive | |
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | Configuration | Preventive | |
Notify affected parties to keep authenticators confidential. CC ID 06787 | Behavior | Preventive | |
Discourage affected parties from recording authenticators. CC ID 06788 | Behavior | Preventive | |
Ensure the root account is the first entry in password files. CC ID 16323 | Data and Information Management | Detective | |
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | Establish/Maintain Documentation | Preventive | |
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | Establish/Maintain Documentation | Preventive | |
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | Configuration | Preventive | |
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | Configuration | Preventive | |
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | Configuration | Preventive | |
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | Configuration | Preventive | |
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system design specification. CC ID 04557 | Establish/Maintain Documentation | Preventive | |
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)] | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Establish/Maintain Documentation | Preventive | |
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)] | Establish/Maintain Documentation | Preventive | |
Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
Allow records that relate to the data subject as proof of identity. CC ID 13772 | Process or Activity | Preventive | |
Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Process or Activity | Detective | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)] | Technical Security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Data and Information Management | Preventive | |
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Technical Security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)] | Establish/Maintain Documentation | Preventive | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Configuration | Preventive | |
Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Configuration | Detective | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical Security | Preventive | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Configuration | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Configuration | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Configuration | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Configuration | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Configuration | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Configuration | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Configuration | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Configuration | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Configuration | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Configuration | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Configuration | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Configuration | Preventive | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Configuration | Preventive | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Testing | Detective | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical Security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Data and Information Management | Preventive | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Data and Information Management | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 | Configuration | Preventive | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Configuration | Preventive | |
Configure firewalls to generate an audit log. CC ID 12038 | Audits and Risk Management | Preventive | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Configuration | Preventive | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Establish/Maintain Documentation | Preventive | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Establish/Maintain Documentation | Preventive | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Establish/Maintain Documentation | Preventive | |
Configure network access and control points to organizational standards. CC ID 12442 | Configuration | Detective | |
Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important | Data and Information Management | Preventive | |
Quarantine data that fails security tests. CC ID 16500 | Data and Information Management | Corrective | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Data and Information Management | Preventive | |
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Data and Information Management | Preventive | |
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Data and Information Management | Preventive | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Technical Security | Preventive | |
Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Establish/Maintain Documentation | Preventive | |
Define the cryptographic boundaries. CC ID 06543 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Establish/Maintain Documentation | Preventive | |
Implement the documented cryptographic module security functions. CC ID 06755 | Data and Information Management | Preventive | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Establish/Maintain Documentation | Preventive | |
Document the operation of the cryptographic module. CC ID 06546 | Establish/Maintain Documentation | Preventive | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical Security | Preventive | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Establish/Maintain Documentation | Preventive | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Data and Information Management | Preventive | |
Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Data and Information Management | Preventive | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
Store cryptographic keys securely. CC ID 01298 | Data and Information Management | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Data and Information Management | Preventive | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical Security | Preventive | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical Security | Preventive | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Technical Security | Preventive | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)] | Configuration | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
Scan for malicious code, as necessary. CC ID 11941 | Investigate | Detective | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
Lock antivirus configurations. CC ID 10047 | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Establish/Maintain Documentation | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Business Processes | Corrective | |
Document and maintain supply chain processes. CC ID 08816 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Process or Activity | Detective | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Establish/Maintain Documentation | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Establish/Maintain Documentation | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)] | Establish/Maintain Documentation | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Establish/Maintain Documentation | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Establish/Maintain Documentation | Preventive | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Establish/Maintain Documentation | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
Categorize all suppliers in the supply chain management program. CC ID 00792 | Establish/Maintain Documentation | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Testing | Detective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Business Processes | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Establish/Maintain Documentation | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Establish/Maintain Documentation | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)] | Establish/Maintain Documentation | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)] | Operational and Systems Continuity | Preventive | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
Train all new hires, as necessary. CC ID 06673 | Human Resources management | Preventive | |
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Preventive | |
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Human Resources management | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Human Resources management | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 | Human Resources management | Corrective | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Human Resources management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Operational management | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)] | Operational management | Preventive | |
Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Preventive | |
Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Preventive | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)] | Privacy protection for information and data | Preventive | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Preventive | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)] | Privacy protection for information and data | Preventive | |
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)] | Privacy protection for information and data | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)] | Privacy protection for information and data | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)] | Privacy protection for information and data | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Preventive | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Privacy protection for information and data | Preventive | |
Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Preventive | |
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Corrective | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Corrective | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Detective | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)] | Privacy protection for information and data | Preventive | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)] | Privacy protection for information and data | Corrective | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Preventive | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)] | Privacy protection for information and data | Preventive | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)] | Privacy protection for information and data | Preventive | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)] | Privacy protection for information and data | Preventive | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Operational management | Detective | |
Manage the creation of products and services, as necessary. CC ID 13497 | Operational management | Preventive | |
Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Preventive | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Preventive | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Preventive | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Preventive | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Preventive | |
Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Preventive | |
Bill and settle electronic commerce transactions. CC ID 08622 | Acquisition or sale of facilities, technology, and services | Preventive | |
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Acquisition or sale of facilities, technology, and services | Corrective | |
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Preventive | |
Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Preventive | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)] | Privacy protection for information and data | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Privacy protection for information and data | Preventive | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Preventive | |
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Preventive | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective | |
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)] | Privacy protection for information and data | Preventive | |
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Third Party and supply chain oversight | Corrective | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Preventive | |
Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)] | Leadership and high level objectives | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Leadership and high level objectives | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)] | Human Resources management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Operational management | Preventive | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Operational management | Preventive | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Operational management | Preventive | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Operational management | Preventive | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Operational management | Preventive | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Operational management | Preventive | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)] | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Operational management | Preventive | |
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Operational management | Preventive | |
Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Preventive | |
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Preventive | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Preventive | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Preventive | |
Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Preventive | |
Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Preventive | |
Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Preventive | |
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Preventive | |
Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Preventive | |
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Preventive | |
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Preventive | |
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Preventive | |
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Preventive | |
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Preventive | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Preventive | |
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Preventive | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Preventive | |
Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Preventive | |
Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)] | Privacy protection for information and data | Preventive | |
Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)] | Privacy protection for information and data | Corrective | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Corrective | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Privacy protection for information and data | Preventive | |
Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Privacy protection for information and data | Preventive | |
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)] | Monitoring and measurement | Preventive | |
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Technical security | Preventive | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Detective | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Technical security | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Preventive | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Preventive | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Preventive | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Preventive | |
Configure network access and control points to organizational standards. CC ID 12442 | Technical security | Detective | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)] | Technical security | Preventive | |
Lock antivirus configurations. CC ID 10047 | Technical security | Preventive | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Preventive | |
Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Preventive | |
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Preventive | |
Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Preventive | |
Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Preventive | |
Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Preventive | |
Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Preventive | |
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Preventive | |
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Preventive | |
Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Preventive | |
Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Preventive | |
Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Preventive | |
Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Preventive | |
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Preventive | |
Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Preventive | |
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Preventive | |
Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Preventive | |
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Preventive | |
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Preventive | |
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Preventive | |
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Preventive | |
Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Preventive | |
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Preventive | |
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Preventive | |
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Preventive | |
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Preventive | |
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Preventive | |
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Preventive | |
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Preventive | |
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Preventive | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Technical security | Preventive | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Preventive | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important | Technical security | Preventive | |
Quarantine data that fails security tests. CC ID 16500 | Technical security | Corrective | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Preventive | |
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Preventive | |
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Preventive | |
Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Preventive | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Preventive | |
Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Preventive | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
Store cryptographic keys securely. CC ID 01298 | Technical security | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Preventive | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Corrective | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Operational management | Corrective | |
Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Detective | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Preventive | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Preventive | |
Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Preventive | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)] | Privacy protection for information and data | Preventive | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Preventive | |
Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Privacy protection for information and data | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)] | Privacy protection for information and data | Preventive | |
Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)] | Privacy protection for information and data | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Privacy protection for information and data | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)] | Privacy protection for information and data | Preventive | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Preventive | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Detective | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Preventive | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Preventive | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Preventive | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Preventive | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Preventive | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Preventive | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Privacy protection for information and data | Preventive | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)] | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Privacy protection for information and data | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)] | Privacy protection for information and data | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)] | Privacy protection for information and data | Preventive | |
Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Privacy protection for information and data | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)] | Privacy protection for information and data | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)] | Privacy protection for information and data | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Privacy protection for information and data | Preventive | |
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)] | Privacy protection for information and data | Preventive | |
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Preventive | |
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)] | Privacy protection for information and data | Preventive | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Preventive | |
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Preventive | |
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Preventive | |
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)] | Privacy protection for information and data | Preventive | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Privacy protection for information and data | Corrective | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Privacy protection for information and data | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Corrective | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Corrective | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)] | Privacy protection for information and data | Preventive | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)] | Human Resources management | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)] | Human Resources management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)] | Human Resources management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Records management | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Privacy protection for information and data | Preventive | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)] | Monitoring and measurement | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Audits and risk management | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)] | Technical security | Preventive | |
Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)] | Technical security | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Preventive | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Preventive | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Preventive | |
Define the cryptographic boundaries. CC ID 06543 | Technical security | Preventive | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Preventive | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Preventive | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Preventive | |
Document the operation of the cryptographic module. CC ID 06546 | Technical security | Preventive | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Preventive | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Preventive | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Preventive | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Preventive | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)] | Technical security | Preventive | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Corrective | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)] | Operational and Systems Continuity | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Human Resources management | Preventive | |
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Preventive | |
Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Preventive | |
Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Preventive | |
Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Preventive | |
Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Preventive | |
Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Preventive | |
Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Preventive | |
Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Preventive | |
Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Preventive | |
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Preventive | |
Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Preventive | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
Document all training in a training record. CC ID 01423 | Human Resources management | Detective | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1] | Human Resources management | Preventive | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Human Resources management | Preventive | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Human Resources management | Preventive | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Human Resources management | Preventive | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Human Resources management | Preventive | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 | Human Resources management | Preventive | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Human Resources management | Preventive | |
Include key policies in the Code of Conduct. CC ID 12890 | Human Resources management | Preventive | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Human Resources management | Preventive | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Human Resources management | Preventive | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Human Resources management | Preventive | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Human Resources management | Preventive | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Human Resources management | Preventive | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Human Resources management | Preventive | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Human Resources management | Preventive | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Human Resources management | Preventive | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Human Resources management | Preventive | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Human Resources management | Detective | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Human Resources management | Preventive | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Human Resources management | Preventive | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Human Resources management | Preventive | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Human Resources management | Preventive | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)] | Operational management | Preventive | |
Include a service management plan in the service management program. CC ID 13902 | Operational management | Preventive | |
Include the information security policy in the service management program. CC ID 13925 | Operational management | Preventive | |
Include the change management policy in the service management program. CC ID 13923 | Operational management | Preventive | |
Include the service management objectives in the service management program. CC ID 11389 | Operational management | Preventive | |
Include the service requirements in the service management program. CC ID 11390 | Operational management | Preventive | |
Include known limitations in the service management program. CC ID 11391 | Operational management | Preventive | |
Include service management policies in the service management program. CC ID 11392 | Operational management | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 | Operational management | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 | Operational management | Preventive | |
Include supply chain management procedures in the service management program. CC ID 11395 | Operational management | Preventive | |
Include service management procedures in the service management program. CC ID 11396 | Operational management | Preventive | |
Include risk procedures in the service management program. CC ID 11397 | Operational management | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 | Operational management | Preventive | |
Include all technologies used to support service management in the service management program. CC ID 11398 | Operational management | Preventive | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)] | Operational management | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)] | Operational management | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Preventive | |
Display customer security advice prominently. CC ID 13667 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)] | Operational management | Preventive | |
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Preventive | |
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Preventive | |
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Operational management | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)] | Operational management | Preventive | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)] | Operational management | Preventive | |
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Operational management | Preventive | |
Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Preventive | |
Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)] | Operational management | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)] | System hardening through configuration management | Preventive | |
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Preventive | |
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Preventive | |
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Preventive | |
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Preventive | |
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Preventive | |
Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Preventive | |
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Preventive | |
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1] | Records management | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)] | Privacy protection for information and data | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Preventive | |
Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Preventive | |
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)] | Privacy protection for information and data | Preventive | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Preventive | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Preventive | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Preventive | |
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Preventive | |
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Preventive | |
Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Preventive | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Preventive | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Preventive | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)] | Privacy protection for information and data | Preventive | |
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Corrective | |
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Preventive | |
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Preventive | |
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Preventive | |
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Preventive | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Preventive | |
Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Preventive | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Privacy protection for information and data | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Privacy protection for information and data | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)] | Privacy protection for information and data | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)] | Privacy protection for information and data | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Preventive | |
Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Preventive | |
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Privacy protection for information and data | Preventive | |
Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Preventive | |
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Preventive | |
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Preventive | |
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Corrective | |
Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Corrective | |
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Preventive | |
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Preventive | |
Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Preventive | |
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Privacy protection for information and data | Preventive | |
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Preventive | |
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Preventive | |
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Preventive | |
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Privacy protection for information and data | Preventive | |
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Preventive | |
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Preventive | |
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Preventive | |
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)] | Privacy protection for information and data | Preventive | |
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Preventive | |
Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Preventive | |
Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)] | Privacy protection for information and data | Preventive | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Privacy protection for information and data | Preventive | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Preventive | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)] | Privacy protection for information and data | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Privacy protection for information and data | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Privacy protection for information and data | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Privacy protection for information and data | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1] | Privacy protection for information and data | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Preventive | |
Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Preventive | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)] | Privacy protection for information and data | Preventive | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Privacy protection for information and data | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Preventive | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Preventive | |
Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Preventive | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Corrective | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Preventive | |
Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Privacy protection for information and data | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Corrective | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Privacy protection for information and data | Detective | |
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)] | Privacy protection for information and data | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Preventive | |
Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 | Privacy protection for information and data | Preventive | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Third Party and supply chain oversight | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Preventive | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Third Party and supply chain oversight | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Third Party and supply chain oversight | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)] | Third Party and supply chain oversight | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Third Party and supply chain oversight | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Third Party and supply chain oversight | Preventive | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Detective | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Preventive | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
Categorize the gender of all employees. CC ID 15609 | Human Resources management | Preventive | |
Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Preventive | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Preventive | |
Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Preventive | |
Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Preventive | |
Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Preventive | |
Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Preventive | |
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Preventive | |
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Preventive | |
Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Preventive | |
Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Preventive | |
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Preventive | |
Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Preventive | |
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Preventive | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Preventive | |
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Corrective | |
Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Preventive | |
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Detective | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources management | Preventive | |
Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Privacy protection for information and data | Preventive | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Preventive | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Detective | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
Scan for malicious code, as necessary. CC ID 11941 | Technical security | Detective | |
Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Preventive | |
Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Preventive | |
Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Preventive | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Monitoring and measurement | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
Log and react to all malicious code activity. CC ID 07072 | Technical security | Detective | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Detective | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Detective | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Detective | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Detective | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)] | Operational management | Preventive | |
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)] | Monitoring and measurement | Corrective | |
Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Preventive | |
Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Detective | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Include organizational values in the Code of Conduct. CC ID 12919 | Human Resources management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)] | Operational management | Corrective | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)] | Operational management | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Operational management | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Detective | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)] | Privacy protection for information and data | Preventive | |
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Preventive | |
Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Preventive | |
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Preventive | |
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Preventive | |
Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Privacy protection for information and data | Corrective | |
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Preventive | |
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Preventive | |
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)] | Records management | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Preventive | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Preventive | |
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)] | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)] | Technical security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Technical security | Preventive | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Preventive | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Preventive | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Technical security | Preventive | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Preventive | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Preventive | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Preventive | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Technical security | Preventive | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
Protect the system against replay attacks. CC ID 04552 | Technical security | Preventive | |
Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Detective | |
Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Corrective | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Corrective | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Corrective | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Records management | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Preventive | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Monitoring and measurement | Preventive | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Detective | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Detective | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Detective | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)] | Records management | Detective | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Detective | |
Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Preventive | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)] | Monitoring and measurement | Process or Activity | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Audits and risk management | Establish/Maintain Documentation | |
Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
Quarantine data that fails security tests. CC ID 16500 | Technical security | Data and Information Management | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Establish/Maintain Documentation | |
Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Technical Security | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Technical Security | |
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Technical Security | |
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Data and Information Management | |
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Human Resources Management | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 | Human Resources management | Behavior | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)] | Operational management | Process or Activity | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Operational management | Behavior | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Establish/Maintain Documentation | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Establish/Maintain Documentation | |
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)] | Privacy protection for information and data | Communicate | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Communicate | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Privacy protection for information and data | Process or Activity | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Privacy protection for information and data | Data and Information Management | |
File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Behavior | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Behavior | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Behavior | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Behavior | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Data and Information Management | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Establish/Maintain Documentation | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)] | Privacy protection for information and data | Behavior | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Data and Information Management | |
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Third Party and supply chain oversight | Business Processes | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Process or Activity | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Configuration | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Testing | |
Configure network access and control points to organizational standards. CC ID 12442 | Technical security | Configuration | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
Scan for malicious code, as necessary. CC ID 11941 | Technical security | Investigate | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Testing | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
Log and react to all malicious code activity. CC ID 07072 | Technical security | Monitor and Evaluate Occurrences | |
Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Technical Security | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Monitor and Evaluate Occurrences | |
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Human Resources Management | |
Document all training in a training record. CC ID 01423 | Human Resources management | Establish/Maintain Documentation | |
Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Testing | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Human Resources management | Establish/Maintain Documentation | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Operational management | Business Processes | |
Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Data and Information Management | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)] | Records management | Testing | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Process or Activity | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Human Resources Management | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Behavior | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Testing | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Third Party and supply chain oversight | Process or Activity | |
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Testing | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Audits and Risk Management |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)] | Leadership and high level objectives | Communicate | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Leadership and high level objectives | Communicate | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)] | Monitoring and measurement | Configuration | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Monitoring and measurement | Testing | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)] | Monitoring and measurement | Establish/Maintain Documentation | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)] | Technical security | Establish/Maintain Documentation | |
Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Process or Activity | |
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)] | Technical security | Technical Security | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Technical security | Data and Information Management | |
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Technical security | Technical Security | |
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)] | Technical security | Establish/Maintain Documentation | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Technical security | Configuration | |
Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Technical Security | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Technical security | Configuration | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Configuration | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Configuration | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Configuration | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Configuration | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Configuration | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Configuration | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Configuration | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Configuration | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Configuration | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Configuration | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Configuration | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Configuration | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Technical Security | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Data and Information Management | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Data and Information Management | |
Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Configuration | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Configuration | |
Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Audits and Risk Management | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Configuration | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Establish/Maintain Documentation | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Establish/Maintain Documentation | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Establish/Maintain Documentation | |
Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important | Technical security | Data and Information Management | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Data and Information Management | |
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Data and Information Management | |
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Data and Information Management | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)] | Technical security | Technical Security | |
Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Establish/Maintain Documentation | |
Define the cryptographic boundaries. CC ID 06543 | Technical security | Establish/Maintain Documentation | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Establish/Maintain Documentation | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Establish/Maintain Documentation | |
Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Data and Information Management | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Establish/Maintain Documentation | |
Document the operation of the cryptographic module. CC ID 06546 | Technical security | Establish/Maintain Documentation | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Technical Security | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Establish/Maintain Documentation | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Establish/Maintain Documentation | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Data and Information Management | |
Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Data and Information Management | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
Store cryptographic keys securely. CC ID 01298 | Technical security | Data and Information Management | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Data and Information Management | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Technical Security | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Technical Security | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Technical security | Technical Security | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)] | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Behavior | |
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)] | Technical security | Configuration | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
Protect the system against replay attacks. CC ID 04552 | Technical security | Technical Security | |
Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
Lock antivirus configurations. CC ID 10047 | Technical security | Configuration | |
Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Establish/Maintain Documentation | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Establish/Maintain Documentation | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Log Management | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Log Management | |
Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Log Management | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Records Management | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)] | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)] | Human Resources management | Establish Roles | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)] | Human Resources management | Establish Roles | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)] | Human Resources management | Establish Roles | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)] | Human Resources management | Establish/Maintain Documentation | |
Categorize the gender of all employees. CC ID 15609 | Human Resources management | Human Resources Management | |
Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Human Resources Management | |
Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Human Resources Management | |
Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Human Resources Management | |
Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Human Resources Management | |
Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Human Resources Management | |
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Human Resources Management | |
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Human Resources Management | |
Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Human Resources Management | |
Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Human Resources Management | |
Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Establish/Maintain Documentation | |
Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Establish/Maintain Documentation | |
Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Establish/Maintain Documentation | |
Train all new hires, as necessary. CC ID 06673 | Human Resources management | Behavior | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Establish/Maintain Documentation | |
Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Establish/Maintain Documentation | |
Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Establish/Maintain Documentation | |
Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Establish/Maintain Documentation | |
Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Establish/Maintain Documentation | |
Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Establish/Maintain Documentation | |
Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Communicate | |
Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Human Resources Management | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Human Resources Management | |
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Human Resources Management | |
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Behavior | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Communicate | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Human Resources Management | |
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Behavior | |
Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Human Resources Management | |
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Establish/Maintain Documentation | |
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Human Resources management | Behavior | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Behavior | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Behavior | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Human Resources Management | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Training | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Training | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Human Resources management | Establish/Maintain Documentation | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Human Resources management | Establish/Maintain Documentation | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Human Resources management | Behavior | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Human Resources management | Establish/Maintain Documentation | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Human Resources management | Establish/Maintain Documentation | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 | Human Resources management | Establish/Maintain Documentation | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Human Resources management | Establish/Maintain Documentation | |
Include organizational values in the Code of Conduct. CC ID 12919 | Human Resources management | Process or Activity | |
Include key policies in the Code of Conduct. CC ID 12890 | Human Resources management | Establish/Maintain Documentation | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Human Resources management | Establish/Maintain Documentation | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Human Resources management | Establish/Maintain Documentation | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Human Resources management | Establish/Maintain Documentation | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Human Resources management | Establish/Maintain Documentation | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources management | Human Resources Management | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Human Resources management | Establish/Maintain Documentation | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Human Resources management | Establish/Maintain Documentation | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Human Resources management | Establish/Maintain Documentation | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Human Resources management | Establish/Maintain Documentation | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Human Resources management | Establish/Maintain Documentation | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Communicate | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Human Resources management | Establish/Maintain Documentation | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Human Resources management | Establish/Maintain Documentation | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Human Resources management | Establish/Maintain Documentation | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Human Resources management | Behavior | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Human Resources management | Establish/Maintain Documentation | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Human Resources Management | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)] | Human Resources management | Communicate | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)] | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)] | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Business Processes | |
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)] | Operational management | Establish/Maintain Documentation | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 | Operational management | Communicate | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 | Operational management | Communicate | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 | Operational management | Communicate | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 | Operational management | Communicate | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 | Operational management | Communicate | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 | Operational management | Communicate | |
Include a service management plan in the service management program. CC ID 13902 | Operational management | Establish/Maintain Documentation | |
Include the information security policy in the service management program. CC ID 13925 | Operational management | Establish/Maintain Documentation | |
Include the change management policy in the service management program. CC ID 13923 | Operational management | Establish/Maintain Documentation | |
Include the service management objectives in the service management program. CC ID 11389 | Operational management | Establish/Maintain Documentation | |
Include the service requirements in the service management program. CC ID 11390 | Operational management | Establish/Maintain Documentation | |
Include known limitations in the service management program. CC ID 11391 | Operational management | Establish/Maintain Documentation | |
Include service management policies in the service management program. CC ID 11392 | Operational management | Establish/Maintain Documentation | |
Assign roles and responsibilities in the service management program. CC ID 11393 | Operational management | Establish/Maintain Documentation | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 | Operational management | Establish/Maintain Documentation | |
Include supply chain management procedures in the service management program. CC ID 11395 | Operational management | Establish/Maintain Documentation | |
Include service management procedures in the service management program. CC ID 11396 | Operational management | Establish/Maintain Documentation | |
Include risk procedures in the service management program. CC ID 11397 | Operational management | Establish/Maintain Documentation | |
Include continuity plans in the Service Management program. CC ID 13919 | Operational management | Establish/Maintain Documentation | |
Include all technologies used to support service management in the service management program. CC ID 11398 | Operational management | Establish/Maintain Documentation | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)] | Operational management | Communicate | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Establish/Maintain Documentation | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)] | Operational management | Establish/Maintain Documentation | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)] | Operational management | Establish/Maintain Documentation | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)] | Operational management | Communicate | |
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)] | Operational management | Communicate | |
Use simple understandable language when providing customer security advice. CC ID 13685 | Operational management | Communicate | |
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686 | Operational management | Communicate | |
Display customer security advice prominently. CC ID 13667 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)] | Operational management | Establish/Maintain Documentation | |
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Establish/Maintain Documentation | |
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)] | Operational management | Establish/Maintain Documentation | |
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)] | Operational management | Establish/Maintain Documentation | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)] | Operational management | Establish/Maintain Documentation | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)] | Operational management | Establish/Maintain Documentation | |
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)] | Operational management | Actionable Reports or Measurements | |
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)] | Operational management | Establish/Maintain Documentation | |
Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Establish/Maintain Documentation | |
Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)] | Operational management | Behavior | |
Manage the creation of products and services, as necessary. CC ID 13497 | Operational management | Business Processes | |
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)] | Operational management | Process or Activity | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)] | Operational management | Establish/Maintain Documentation | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Operational management | Process or Activity | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)] | System hardening through configuration management | Establish/Maintain Documentation | |
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Technical Security | |
Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Configuration | |
Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Configuration | |
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Configuration | |
Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Configuration | |
Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Configuration | |
Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Configuration | |
Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Configuration | |
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Configuration | |
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Configuration | |
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Establish/Maintain Documentation | |
Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Configuration | |
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Configuration | |
Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Configuration | |
Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Configuration | |
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Configuration | |
Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Configuration | |
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Configuration | |
Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Configuration | |
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Configuration | |
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Configuration | |
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Configuration | |
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Configuration | |
Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Configuration | |
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Configuration | |
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Configuration | |
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Configuration | |
Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Behavior | |
Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Behavior | |
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Configuration | |
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Configuration | |
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Configuration | |
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Configuration | |
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)] | Records management | Records Management | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)] | Records management | Establish Roles | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1] | Records management | Establish/Maintain Documentation | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)] | Records management | Technical Security | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)] | Acquisition or sale of facilities, technology, and services | Technical Security | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Communicate | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Configuration | |
Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Communicate | |
Bill and settle electronic commerce transactions. CC ID 08622 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)] | Acquisition or sale of facilities, technology, and services | Behavior | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Communicate | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Communicate | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Communicate | |
Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Communicate | |
Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Communicate | |
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Communicate | |
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Communicate | |
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Communicate | |
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Communicate | |
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Communicate | |
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Communicate | |
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Data and Information Management | |
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Communicate | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Communicate | |
Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Establish/Maintain Documentation | |
Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Data and Information Management | |
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)] | Privacy protection for information and data | Communicate | |
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Communicate | |
Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)] | Privacy protection for information and data | Behavior | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Process or Activity | |
Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Behavior | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Behavior | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Data and Information Management | |
Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)] | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)] | Privacy protection for information and data | Process or Activity | |
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)] | Privacy protection for information and data | Data and Information Management | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Data and Information Management | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Communicate | |
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Process or Activity | |
Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Establish/Maintain Documentation | |
Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Technical Security | |
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)] | Privacy protection for information and data | Behavior | |
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Establish/Maintain Documentation | |
Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Business Processes | |
Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Communicate | |
Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Privacy protection for information and data | Human Resources Management | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)] | Privacy protection for information and data | Business Processes | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)] | Privacy protection for information and data | Data and Information Management | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Business Processes | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Data and Information Management | |
Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)] | Privacy protection for information and data | Data and Information Management | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Human Resources Management | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)] | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Data and Information Management | |
Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Human Resources Management | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Behavior | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)] | Privacy protection for information and data | Behavior | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)] | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)] | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)] | Privacy protection for information and data | Behavior | |
Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Data and Information Management | |
Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Communicate | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Behavior | |
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Records Management | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Privacy protection for information and data | Establish Roles | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Data and Information Management | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)] | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1] | Privacy protection for information and data | Business Processes | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Behavior | |
Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Records Management | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Data and Information Management | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)] | Privacy protection for information and data | Communicate | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Data and Information Management | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Data and Information Management | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Privacy protection for information and data | Communicate | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Records Management | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Data and Information Management | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Privacy protection for information and data | Data and Information Management | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)] | Privacy protection for information and data | Data and Information Management | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Privacy protection for information and data | Data and Information Management | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)] | Privacy protection for information and data | Data and Information Management | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Data and Information Management | |
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Privacy protection for information and data | Data and Information Management | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)] | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)] | Privacy protection for information and data | Technical Security | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)] | Privacy protection for information and data | Data and Information Management | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Data and Information Management | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)] | Privacy protection for information and data | Data and Information Management | |
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Business Processes | |
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Privacy protection for information and data | Behavior | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)] | Privacy protection for information and data | Communicate | |
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)] | Privacy protection for information and data | Data and Information Management | |
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Data and Information Management | |
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Behavior | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)] | Privacy protection for information and data | Data and Information Management | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Business Processes | |
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Communicate | |
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Data and Information Management | |
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Process or Activity | |
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Process or Activity | |
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Process or Activity | |
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)] | Privacy protection for information and data | Data and Information Management | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)] | Privacy protection for information and data | Data and Information Management | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)] | Privacy protection for information and data | Behavior | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)] | Privacy protection for information and data | Communicate | |
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)] | Privacy protection for information and data | Business Processes | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)] | Privacy protection for information and data | Behavior | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)] | Privacy protection for information and data | Behavior | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Privacy protection for information and data | Establish/Maintain Documentation | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)] | Privacy protection for information and data | Behavior | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)] | Privacy protection for information and data | Behavior | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Systems Continuity | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Business Processes | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)] | Third Party and supply chain oversight | Establish/Maintain Documentation |